Known issues: Network configuration alerts in Microsoft Entra Domain Services
To let applications and services correctly communicate with a Microsoft Entra Domain Services managed domain, specific network ports must be open to allow traffic to flow. In Azure, you control the flow of traffic using network security groups. The health status of a Domain Services managed domain shows an alert if the required network security group rules aren't in place.
This article helps you understand and resolve common alerts for network security group configuration issues.
Alert AADDS104: Network error
Alert message
Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user-defined route that blocks incoming traffic from the internet.
Invalid network security group rules are the most common cause of network errors for Domain Services. The network security group for the virtual network must allow access to specific ports and protocols. If these ports are blocked, the Azure platform can't monitor or update the managed domain. The synchronization between the Microsoft Entra directory and Domain Services is also impacted. Make sure you keep the default ports open to avoid interruption in service.
Default security rules
The following default inbound and outbound security rules are applied to the network security group for a managed domain. These rules keep Domain Services secure and allow the Azure platform to monitor, manage, and update the managed domain.
Inbound security rules
Priority | Name | Port | Protocol | Source | Destination | Action |
---|---|---|---|---|---|---|
301 | AllowPSRemoting | 5986 | TCP | AzureActiveDirectoryDomainServices | Any | Allow |
201 | AllowRD | 3389 | TCP | CorpNetSaw | Any | Allow1 |
65000 | AllVnetInBound | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
65001 | AllowAzureLoadBalancerInBound | Any | Any | AzureLoadBalancer | Any | Allow |
65500 | DenyAllInBound | Any | Any | Any | Any | Deny |
1Optional for debugging but change the default to deny when not needed. Allow the rule when required for advanced troubleshooting.
Note
You may also have an additional rule that allows inbound traffic if you configure secure LDAP. This additional rule is required for the correct LDAPS communication.
Outbound security rules
Priority | Name | Port | Protocol | Source | Destination | Action |
---|---|---|---|---|---|---|
65000 | AllVnetOutBound | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
65001 | AllowAzureLoadBalancerOutBound | Any | Any | Any | Internet | Allow |
65500 | DenyAllOutBound | Any | Any | Any | Any | Deny |
Note
Domain Services needs unrestricted outbound access from the virtual network. We don't recommend that you create any additional rules that restrict outbound access for the virtual network.
Verify and edit existing security rules
To verify the existing security rules and make sure the default ports are open, complete the following steps:
In the Microsoft Entra admin center, search for and select Network security groups.
Choose the network security group associated with your managed domain, such as AADDS-contoso.com-NSG.
On the Overview page, the existing inbound and outbound security rules are shown.
Review the inbound and outbound rules and compare to the list of required rules in the previous section. If needed, select and then delete any custom rules that block required traffic. If any of the required rules are missing, add a rule in the next section.
After you add or delete rules to allow the required traffic, the managed domain's health automatically updates itself within two hours and removes the alert.
Add a security rule
To add a missing security rule, complete the following steps:
- In the Microsoft Entra admin center, search for and select Network security groups.
- Choose the network security group associated with your managed domain, such as AADDS-contoso.com-NSG.
- Under Settings in the left-hand panel, click Inbound security rules or Outbound security rules depending on which rule you need to add.
- Select Add, then create the required rule based on the port, protocol, direction, and so on. When ready, select OK.
It takes a few moments for the security rule to be added and show in the list.
Next steps
If you still have issues, open an Azure support request for additional troubleshooting assistance.