Azure, AADDS500 on managed domain (Entra Domain Services)

Question

Azure, AADDS500 on managed domain (Entra Domain Services)

SEDI 0

Hi there,

the Entra Domain Services in one of our environments stopped synchronizing with Azure AD roughly 7 days ago. They worked fine for >1 year.

We've got multiple environments with the same setup. (especially concerning NSGs, everything is automatically deployed / IaC, so no configuration drift there)

We receive the expected warnings / mails and ciritcal alerts but cant resolve the issue.

User's image

I have checked the linked MS Learn/Help page ( https://learn.microsoft.com/en-us/entra/identity/domain-services/troubleshoot-alerts#aadds500-synchronization-has-not-completed-in-a-while )

Inbound Network security group is setup according to the docs. ( https://learn.microsoft.com/en-us/entra/identity/domain-services/network-considerations#network-security-groups-and-required-ports )

User's image

Outbound NSG is currently set to default for the duration of this issue/troubleshooting.

No significant changes in any activity logs can be found. The core problem is, that new accounts created in Entra ID aren't synched to our domain joined VMs and cant login. (even with the password change, which is of no use when the domain services arent synching..)

Is there anything else I can do? Any way to get more insights on the issue or troubleshoot?

Apparently I cant even raise a support request without paying 100$/mo. Any help is appreciated, thanks in advance.

VEMULA SRISAI 13,030 Reputation points Microsoft External Staff Moderator

2026-04-21T13:49:08.1733333+00:00
Hello SEDI,

For AADDS500, this behavior means Microsoft Entra Domain Services is unable to complete background synchronization with Entra ID, and this is almost always caused by a condition that prevents Microsoft from managing the managed domain.

Please check the following in order:

In Entra admin center → Domain Services → Health, confirm there are no other active alerts (AADDS104, resource lock, subscription, policy, subnet/IP exhaustion, etc.). Any unresolved health alert will block sync.

Verify the AAD DS subnet has unrestricted outbound access – no UDRs, Azure Firewall, NVA, forced tunneling, or proxy inspection. Even if inbound NSGs are correct, blocked outbound traffic will stop synchronization.

Check for resource locks or Azure Policies on the AAD DS VNet, NICs, load balancer, or public IP resources. These prevent Microsoft from operating the domain controllers.

Ensure the subnet still has free IPs and that no AAD DS–managed resources were modified or deleted.

If cloud‑only users are affected, confirm the users changed their password after AAD DS was enabled (sync will not resume otherwise).

There is no supported way to manually trigger synchronization for AADDS500. If all checks above are clean and the sync does not resume automatically, Please let us know.
SEDI 0 Reputation points

2026-04-21T14:29:04.38+00:00

Thanks for your reply.

1: There are no other alerts except AADDS500.

2: There are no route tables, firewalls, NVA, NAT Gateways, locks, policies ,or similar things in use for this Vnet and subnet. This environment is pretty simple/bare-bones.

3: No locks or policies on any of the named / involved resources.

4: Subnet consists of ~10Vms in an /24 net. So theres plenty of space. We've checked the activity logs of every resource that could be involved without noticing anything of notice.

5: Cloud users are involved, we've changed their password multiple times without any effect. (creating new users and changing their passwords is without effect as well)
VEMULA SRISAI 13,030 Reputation points Microsoft External Staff Moderator

2026-04-21T14:55:17.31+00:00

SEDI Thank you for Informing, will look into further and will update you.

1 answer

Your answer

VEMULA SRISAI 13,030 Reputation points Microsoft External Staff Moderator

2026-04-21T13:49:08.1733333+00:00

Hello SEDI,

For AADDS500, this behavior means Microsoft Entra Domain Services is unable to complete background synchronization with Entra ID, and this is almost always caused by a condition that prevents Microsoft from managing the managed domain.

Please check the following in order:

In Entra admin center → Domain Services → Health, confirm there are no other active alerts (AADDS104, resource lock, subscription, policy, subnet/IP exhaustion, etc.). Any unresolved health alert will block sync.

Verify the AAD DS subnet has unrestricted outbound access – no UDRs, Azure Firewall, NVA, forced tunneling, or proxy inspection. Even if inbound NSGs are correct, blocked outbound traffic will stop synchronization.

Check for resource locks or Azure Policies on the AAD DS VNet, NICs, load balancer, or public IP resources. These prevent Microsoft from operating the domain controllers.

Ensure the subnet still has free IPs and that no AAD DS–managed resources were modified or deleted.

If cloud‑only users are affected, confirm the users changed their password after AAD DS was enabled (sync will not resume otherwise).

There is no supported way to manually trigger synchronization for AADDS500. If all checks above are clean and the sync does not resume automatically, Please let us know.
SEDI 0 Reputation points

2026-04-21T14:29:04.38+00:00

Thanks for your reply.

1: There are no other alerts except AADDS500.

2: There are no route tables, firewalls, NVA, NAT Gateways, locks, policies ,or similar things in use for this Vnet and subnet. This environment is pretty simple/bare-bones.

3: No locks or policies on any of the named / involved resources.

4: Subnet consists of ~10Vms in an /24 net. So theres plenty of space. We've checked the activity logs of every resource that could be involved without noticing anything of notice.

5: Cloud users are involved, we've changed their password multiple times without any effect. (creating new users and changing their passwords is without effect as well)
VEMULA SRISAI 13,030 Reputation points Microsoft External Staff Moderator

2026-04-21T14:55:17.31+00:00

SEDI Thank you for Informing, will look into further and will update you.

Answer 1

AI answer

For alert AADDS500, the supported troubleshooting focuses on verifying Domain Services health, network connectivity, and password sync configuration. Based on the documented guidance, use the following checks and actions:

In the Microsoft Entra admin center, open the Domain Services resource and review Health for any additional alerts beyond AADDS500. Resolve any configuration or network alerts first, then wait at least two hours and re-check synchronization status.
Specifically verify there is no AADDS104: Network error or other NSG-related alert. If present, follow the network troubleshooting steps to ensure the Azure platform can reach the managed domain controllers. Invalid NSG rules or user-defined routes that block required ports will stop synchronization.
Confirm that required network connectivity is not blocked:
- Validate NSG rules against the documented network requirements for Domain Services and network security groups and required ports. Ensure no higher-priority deny rules or custom routes block traffic needed for monitoring, updates, and synchronization.
- If any network configuration alerts exist, fix them and then wait two hours to see whether synchronization resumes.
Verify password synchronization configuration, because missing or incomplete password sync prevents new users from signing in even after objects sync:
- For cloud-only users, ensure password synchronization was enabled when the managed domain was deployed and that affected users have changed their passwords after Domain Services was enabled so that the required credential hashes are generated.
- For hybrid users, confirm that Microsoft Entra Connect is configured for password hash synchronization and that a full synchronization has been performed.
For users who cannot sign in:
- Use UPN format (for example, ******@tenant.onmicrosoft.com) when testing sign-in to the managed domain.
- For hybrid accounts, verify the latest recommended Microsoft Entra Connect release is installed, a full sync has run, and, if needed, restart the Microsoft Azure AD Sync service on the Entra Connect server.

If, after resolving any health and network alerts and confirming password synchronization, the AADDS500 alert persists and synchronization does not resume after a couple of hours, the remaining supported option is to open an Azure support request for deeper platform-side investigation.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Share via

Azure, AADDS500 on managed domain (Entra Domain Services)

1 answer

Your answer