This topic shows steps that might help troubleshoot common issues with Managed Service for Microsoft Active Directory.
Unable to create a Managed Microsoft AD domain
If you are unable to create a Managed Microsoft AD domain, verifying the following configurations could help.
Required APIs
Managed Microsoft AD requires that you enable a group of APIs before you can create a domain.
To verify that the required APIs are enabled, complete the following steps:
Console
- Go to the APIs & Services page in the
Google Cloud console.
Go to the APIs & Services page On the Dashboard page, verify that the following APIs are listed:
- Managed Service for Microsoft Active Directory API
- Compute Engine API
- Cloud DNS API
gcloud
Run the following gcloud CLI command:
gcloud services list --available
The command returns the list of enabled APIS. Verify that the following APIs are listed:
- Managed Service for Microsoft Active Directory API
- Compute Engine API
- Cloud DNS API
If any of these APIs are missing, complete the following steps to enable them:
Console
- Go to the
API Library page in the
Google Cloud console.
Go to the API Library page - On the API Library page, in the search field, enter the name of the missing API.
- On the API information page, click Enable.
gcloud
Run the following gcloud CLI command:
gcloud services enable api-name
Repeat this process until all of the required APIs are enabled.
Billing
Managed Microsoft AD requires that you enable billing before you can create a domain.
To verify that billing is enabled, complete the following steps:
Console
- Go to the Billing page in the
Google Cloud console.
Go to the Billing page - Verify that there is a billing account set up for your organization.
- Select the My projects tab and then verify that the project where you are trying to create a Managed Microsoft AD domain is listed.
gcloud
Run the following gcloud CLI command:
gcloud beta billing projects describe project-id
If you do not see a valid billing account linked to the project, you should enable billing.
IP address range
If you receive an IP range overlap error when you try to create a
domain, it means that reserved IP address range that you
provided in the domain creation request overlaps with the IP address range of
the authorized network. To resolve this issue, you should choose a different IP
address range or a different authorized network. For more information, see
Select IP address ranges.
Permissions
If you receive a Permission denied error when you try to create a
domain, you should verify that the calling identity is
allowed to call the Managed Microsoft AD API. Learn more about
Managed Microsoft AD roles and permissions.
Organization Policy
If domain creation fails, you may need to change an organization policy. Learn about Organization Policy Constraints.
You must be an organization policy administrator
(roles/orgpolicy.policyAdmin)
to update organization policies.
Resource Location Restriction organization policy
This list constraint defines the set of locations where location-based
Google Cloud resources can be created. Denying the global location can impact
Managed Microsoft AD.
To view and update the Resource Location Restriction organization policy:
Console
- Go to the Organization policies page in the Google Cloud console.
Go to the Organization policies page - On the Organization policies page, in the Name column, select the Resource Location Restriction policy to open the Policy summary panel.
- In the Policy summary panel, verify that the
globallocation is allowed. - If you need to make a change, select Edit, update the policy, and then click Save.
Learn about restricting resource locations.
gcloud
To view the details for the
Resource Location Restrictionorganization policy, run the following gcloud CLI command. Learn about thegcloud beta resource-manager org-policies describecommand.gcloud beta resource-manager org-policies describe constraints/gcp.resourceLocations \ --organization=organization-idIf the
describecommand shows thatglobalis not allowed, run the following command to allow it. Learn about thegcloud beta resource-manager org-policies allowcommand.gcloud beta resource-manager org-policies allow constraints/gcp.resourceLocations global \ --organization=organization-id
Learn about restricting resource locations.
Restrict VPC peering usage organization policy
This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to a given resource. When you specify an authorized network for a Managed Microsoft AD domain, a VPC peering is created between the authorized network and the isolated network containing the AD domain controllers. If the organization policy for the project denies peerings, Managed Microsoft AD cannot create any peerings to the authorized network so domain creation fails. You receive an error like this:
GCE_PRECONDITION_FAILED: Constraint constraints /compute.restrictVpcPeering violated for project project-id. Peering the network projects/id/global/networks/network is not allowed.
To view and update the Restrict VPC peering usage organization policy:
Console
- Go to the Organization policies page in the Google Cloud console.
Go to the Organization policies page - On the Organization policies page, in the Name column, select the Restrict VPC peering usage policy to open the Policy summary panel.
- In the Policy summary panel, verify that the project allows peerings.
- If you need to make a change, select Edit, update the policy, and then click Save.
gcloud
To view the details for the
Restrict VPC peering usageorganization policy, run the following gcloud CLI command. Learn about thegcloud beta resource-manager org-policies describecommand.gcloud beta resource-manager org-policies describe constraints/compute.restrictVpcPeering \ --organization=organization-idIf the
describecommand shows that peerings are not allowed, run the following command to allow it. Learn about thegcloud beta resource-manager org-policies allowcommand.gcloud beta resource-manager org-policies allow constraints/compute.restrictVpcPeering under:projects/project-name \ --organization=organization-idproject-name is the name of the project that contains the Managed Microsoft AD resource. organization-id is the ID of the organization that hosts that project.
Unable to join a Windows VM automatically to a domain
Here are some issues with error codes that you might run into when trying to join a Windows VM automatically to a domain:
| Error code | Description | Potential solution |
|---|---|---|
CONFLICT (409) |
Indicates that the Compute Engine VM instance account already exists in the Managed Microsoft AD domain. | Remove the account manually from Managed Microsoft AD using RSAT tools and try again. For more information about managing AD objects in Managed Microsoft AD, see Manage Active Directory objects. |
BAD_REQUEST (412) |
Indicates that the domain join request contains invalid information such as incorrect domain name and incorrect organizational unit (OU) hierarchy structure. | Review the information, update the details if required, and try again. |
INTERNAL (500) |
Indicates that the server encountered an unknown internal error. | Contact Google Cloud Support to resolve this issue. |
FORBIDDEN (403) |
Indicates that the user or the specified service account doesn't have the required privileges. | Check if you have the required privileges and try again. |
UNAUTHORIZED (401) |
Indicates that the VM lacks valid authorization to join the domain. | Check if you have the required privileges and try again. |
Unable to use shared VPC as authorized network
In order to access a Managed Microsoft AD domain from a shared VPC network, the domain must be created in the same project that hosts the shared VPC network.
Unable to access Managed Microsoft AD domain
If your Managed Microsoft AD domain seems to be unavailable, you can get more information about its status by completing the following steps:
Console
Go to the
Managed Service for Microsoft Active Directory
page in the Google Cloud console.
Go to the Managed Service for Microsoft Active Directory page
On the Managed Service for Microsoft Active Directory page, in the Status column, you can view the statuses for your domains.
gcloud
Run the following gcloud CLI command:
gcloud active-directory domains list
This command returns the statuses for your domains.
If your domain status is DOWN, this indicates that your account may
have been suspended. Contact Google Cloud Support to
resolve this issue.
If your domain status is PERFORMING_MAINTENANCE,
Managed Microsoft AD should still be available for use, but may not allow
adding or removing regions. This status is rare and
only happens when the OS is patched.
Unable to create trust
If you follow the steps for creating a trust, but cannot complete the process, verifying the following configurations could help.
On-premises domain is reachable
To verify that the on-premises domain is reachable from the
Managed Microsoft AD domain, you can use ping or
Test-NetConnection. Run these commands from a
VM hosted on Google Cloud and on an authorized network. Verify that
the VM can reach an on-premises domain controller. Learn more about
Test-NetConnection.
IP address
To verify that the IP address that was supplied during the trust setup is able to resolve the on-premises domain, run the following command:
nslookup on-premises-domain-name conditional-forwarder-address
If there are multiple conditional forwarder addresses, you can test against any of them.
Learn more about
nslookup.
On-premises trust relationship
To verify that the on-premises trust relationship is established, you should check that the following information matches.
- The type and direction of the trust matches on-premises expectations
- The trust secret supplied while creating the trust matches the one entered on-premises
The on-premises trust direction is complementary to the trust expectation on Managed Microsoft AD. That means that if the on-premises domain expects an inbound trust, the trust direction for the Managed Microsoft AD domain is outbound. Learn more about trust directions.
Trust no longer works
If you previously created a trust, but it no longer works, you should verify the same configurations as you would for troubleshooting creating a trust.
Additionally, if a trust is not used for 60 days or more, the trust password expires. To refresh the password, change the password for the trust on the on-premises domain, and then update the password on the Managed Microsoft AD domain.
Active Directory authentication is failing (Managed Microsoft AD-hosted accounts)
If it appears that the Active Directory authentication is failing when using Managed Microsoft AD-hosted accounts, verifying the following configurations could help.
VM is on an authorized network
To verify that the VM used to access the domain is on an authorized network, complete the following steps.
Go to the Managed Service for Microsoft Active Directory page in the Google Cloud console.
Go to the Managed Service for Microsoft Active Directory pageSelect the name of your domain.
On the Domain page, under Networks, check that the authorized network is listed.
Username and password are correct
Verify that the username and password provided to log in are correct.
Firewall rules
A deny firewall rule for egress to the domain
controllers' IP address range could cause authentication to fail.
To check your firewall rules, complete the following steps:
Console
Go to the Firewall rules page in the Google Cloud console.
Go to the Firewall rules pageOn this page, check that there is not a
denyfor egress configured for the domain controllers' IP address range.
gcloud
Run the following gcloud CLI command:
gcloud compute firewall-rules list
This command returns a list of the configured firewall rules. Check that there is not a
denyfor egress configured for the domain controllers' IP address range.
Learn more about firewall rules.
IP address
Authentication can fail if the IP address is not in the reserved CIDR range.
To check the IP address, run the following command.
nslookup domain-name
If nslookup fails or returns an IP address that is not in CIDR range, you
should verify that the DNS zone exists.
To validate that the DNS zone exists, complete the following steps:
Console
Go to the Cloud DNS page in the Google Cloud console.
Go to the Cloud DNS pageOn the Cloud DNS page, on the Zones tab, check the In use by column for the authorized network.
gcloud
Run the following gcloud CLI command:
gcloud dns managed-zones list --filter=fqdn-for-domain
If none of the listed zones are in use by the authorized network, you should remove and re-add the authorized network.
Network peering
Authentication can fail if VPC network peering is not properly configured.
To verify peering is set up, complete the following steps:
Console
Go to the VPC network peering page in the Google Cloud console.
Go to the VPC network peering pageOn the VPC network peering page, in the Name column, look for a peering called
peering-vpc-network-name.
gcloud
Run the following gcloud CLI command:
gcloud compute networks peering list --network=network
This command returns a list of peerings. In the list, look for one called
peering-vpc-network-name.
If peering-vpc-network-name is not in the
list, you should remove and re-add the authorized network.
Active Directory authentication is failing (via trust)
If it appears that the Active Directory authentication is failing when using managed on-premises hosted accounts via trust, you should verify the same configurations as you would for troubleshooting creating a trust.
Additionally, verify that the account is in the Cloud Service Computer Remote Desktop Users delegated group. Learn more about delegated groups
Unable to access the domain from a manageability VM
If you are unable able to access the AD domain from a manageability VM, you should verify the same configurations as you would for troubleshooting Active Directory authentication for Managed Microsoft AD-hosted accounts.
Org policy error when creating, updating, or deleting
If you encounter an org policy error when creating, updating, or deleting
resources, you may need to change an organization policy. Learn about
Organization Policy Constraints.
You must be an organization policy administrator
(roles/orgpolicy.policyAdmin)
to update organization policies.
Define allowed APIs and services organization policy
This list constraint defines the set of services and APIs that can be enabled on a given resource. Its descendants in the resource hierarchy also inherit the constraint. If this constraint does not allow the APIs that are required for Managed Microsoft AD, you receive an error when you try to create, update, or delete resources.
To view and update the Define allowed APIs and services organization policy:
Console
- Go to the Organization policies page in the Google Cloud console.
Go to the Organization policies page - On the Organization policies page, in the Name column, select the Define allowed APIs and services policy to open the Policy summary panel.
- In the Policy summary panel, verify that the following APIs are not
denied:
- dns.googleapis.com
- compute.googleapis.com
- If you need to make a change, select Edit, update the policy, and then click Save.
gcloud
Run the following gcloud CLI command. Learn about the
gcloud beta resource-manager org-policies describecommand.gcloud beta resource-manager org-policies describe constraints/serviceuser.services \ --organization=organization-idIf the
describecommand shows thatdns.googleapis.comorcompute.googleapis.comis not allowed, run the following command to allow it. Learn about thegcloud beta resource-manager org-policies allowcommand.gcloud beta resource-manager org-policies allow constraints/serviceuser.services api-name \ --organization=organization-id
Restrict VPC peering usage organization policy
This list constraint defines the set of VPC networks that are allowed to be
peered with the VPC networks belonging to a given resource. If peerings are
denied, you receive an error when you try to create, update, or delete
resources. Learn
how to view and update the Restrict VPC peering usage organization policy.
Unable to resolve on-premises resources from Google Cloud
If you are unable to resolve on-premises resources from Google Cloud, you may need to change your DNS configuration. Learn how to configure DNS forwarding to resolve queries for non-Managed Microsoft AD objects in VPC networks.
Intermittent DNS lookup failures
If you are experiencing intermittent DNS lookup failures when using a highly available scheme for Cloud Interconnect or multiple VPNs, you should verify the following configurations:
- A route for 35.199.192.0/19 exists.
- The on-premises network allows traffic from 35.199.192.0/19 for all Cloud Interconnect connections or VPN tunnels.
Delegated administrator account password expires
If the password for the delegated administrator account has expired, you can reset the password. To avoid this problem in the future, you can disable the password expiration for the account.
Unable to view Managed Microsoft AD audit logs
If you are unable to view any Managed Microsoft AD audit logs in the Log Viewer or Log Explorer, you should verify the following configurations.
- Logging is enabled for the domain.
- You have the
roles/logging.viewerIAM role on the project where the domain is located.