Troubleshooting Managed Microsoft AD

This topic shows steps that might help troubleshoot common issues with Managed Service for Microsoft Active Directory.

Unable to create a Managed Microsoft AD domain

If you are unable to create a Managed Microsoft AD domain, verifying the following configurations could help.

Required APIs

Managed Microsoft AD requires that you enable a group of APIs before you can create a domain.

To verify that the required APIs are enabled, complete the following steps:

Console

  1. Go to the APIs & Services page in the Cloud Console.
    Go to the APIs & Services page
  2. On the Dashboard page, verify that the following APIs are listed:

    • Managed Service for Microsoft Active Directory API
    • Compute Engine API
    • Cloud DNS API

gcloud

  1. Run the following gcloud tool command:

    gcloud services list --available
    
  2. The command returns the list of enabled APIS. Verify that the following APIs are listed:

    • Managed Service for Microsoft Active Directory API
    • Compute Engine API
    • Cloud DNS API

If any of these APIs are missing, complete the following steps to enable them:

Console

  1. Go to the API Library page in the Cloud Console.
    Go to the API Library page
  2. On the API Library page, in the search field, enter the name of the missing API.
  3. On the API information page, click Enable.

gcloud

Run the following gcloud tool command:

  gcloud services enable api-name
  

Repeat this process until all of the required APIs are enabled.

Billing

Managed Microsoft AD requires that you enable billing before you can create a domain.

To verify that billing is enabled, complete the following steps:

Console

  1. Go to the Billing page in the Cloud Console.
    Go to the Billing page
  2. Verify that there is a billing account set up for your organization.
  3. Select the My projects tab and then verify that the project where you are trying to create a Managed Microsoft AD domain is listed.

gcloud

Run the following gcloud tool command:

  gcloud beta billing projects describe project-id
  

If you do not see a valid billing account linked to the project, you should enable billing.

IP address range

If you receive an IP range overlap error when you try to create a domain, it means that reserved IP address range that you provided in the domain creation request overlaps with the IP address range of the authorized network. To resolve this issue, you should choose a different IP address range or a different authorized network. Learn more about selecting IP ranges.

Permissions

If you receive a Permission denied error when you try to create a domain, you should verify that the calling identity is allowed to call the Managed Microsoft AD API. Learn more about Managed Microsoft AD roles and permissions.

Organization Policy

If domain creation fails, you may need to change an organization policy. Learn about Organization Policy Constraints.

You must be an organization policy administrator (roles/orgpolicy.policyAdmin) to update organization policies.

Resource Location Restriction organization policy

This list constraint defines the set of locations where location-based Google Cloud resources can be created. Denying the global location can impact Managed Microsoft AD.

To view and update the Resource Location Restriction organization policy:

Console

  1. Go to the Organization policies page in the Google Cloud Console.
    Go to the Organization policies page
  2. On the Organization policies page, in the Name column, select the Resource Location Restriction policy to open the Policy summary panel.
  3. In the Policy summary panel, verify that the global location is allowed.
  4. If you need to make a change, select Edit, update the policy, and then click Save.

Learn about restricting resource locations.

gcloud

  1. To view the details for the Resource Location Restriction organization policy, run the following gcloud tool command. Learn about the gcloud beta resource-manager org-policies describe command.

    gcloud beta resource-manager org-policies describe constraints/gcp.resourceLocations \
        --organization=organization-id
    
  2. If the describe command shows that global is not allowed, run the following command to allow it. Learn about the gcloud beta resource-manager org-policies allow command.

    gcloud beta resource-manager org-policies allow constraints/gcp.resourceLocations global \
        --organization=organization-id
    

Learn about restricting resource locations.

Restrict VPC peering usage organization policy

This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to a given resource. When you specify an authorized network for a Managed Microsoft AD domain, a VPC peering is created between the authorized network and the isolated network containing the AD domain controllers. If the organization policy for the project denies peerings, Managed Microsoft AD cannot create any peerings to the authorized network so domain creation fails. You receive an error like this:

GCE_PRECONDITION_FAILED: Constraint constraints /compute.restrictVpcPeering
violated for project project-id. Peering the network projects/id/global/networks/network
is not allowed.

To view and update the Restrict VPC peering usage organization policy:

Console

  1. Go to the Organization policies page in the Google Cloud Console.
    Go to the Organization policies page
  2. On the Organization policies page, in the Name column, select the Restrict VPC peering usage policy to open the Policy summary panel.
  3. In the Policy summary panel, verify that the project allows peerings.
  4. If you need to make a change, select Edit, update the policy, and then click Save.

gcloud

  1. To view the details for the Restrict VPC peering usage organization policy, run the following gcloud tool command. Learn about the gcloud beta resource-manager org-policies describe command.

    gcloud beta resource-manager org-policies describe constraints/compute.restrictVpcPeering \
        --organization=organization-id
    
  2. If the describe command shows that peerings are not allowed, run the following command to allow it. Learn about the gcloud beta resource-manager org-policies allow command.

    gcloud beta resource-manager org-policies allow constraints/compute.restrictVpcPeering under:projects/project-name \
        --organization=organization-id
    

    project-name is the name of the project that contains the Managed Microsoft AD resource. organization-id is the ID of the organization that hosts that project.

Unable to use shared VPC as authorized network

In order to access a Managed Microsoft AD domain from a shared VPC network, the domain must be created in the same project that hosts the shared VPC network.

Unable to access Managed Microsoft AD domain

If your Managed Microsoft AD domain seems to be unavailable, you can get more information about its status by completing the following steps:

Console

Go to the Managed Service for Microsoft Active Directory page in the Cloud Console.
Go to the Managed Service for Microsoft Active Directory page

On the Managed Service for Microsoft Active Directory page, in the Status column, you can view the statuses for your domains.

gcloud

Run the following gcloud tool command:

gcloud active-directory domains list

This command returns the statuses for your domains.

If your domain status is DOWN, this indicates that your account may have been suspended. Contact Google Cloud Support to resolve this issue.

If your domain status is PERFORMING_MAINTENANCE, Managed Microsoft AD should still be available for use, but may not allow adding or removing regions. This status is rare and only happens when the OS is patched.

Unable to create trust

If you follow the steps for creating a trust, but cannot complete the process, verifying the following configurations could help.

On-premises domain is reachable

To verify that the on-premises domain is reachable from the Managed Microsoft AD domain, you can use ping or Test-NetConnection. Run these commands from a VM hosted on Google Cloud and on an authorized network. Verify that the VM can reach an on-premises domain controller. Learn more about Test-NetConnection.

IP address

To verify that the IP address that was supplied during the trust setup is able to resolve the on-premises domain, run the following command:

nslookup on-premises-domain-name conditional-forwarder-address

If there are multiple conditional forwarder addresses, you can test against any of them.

Learn more about nslookup.

On-premises trust relationship

To verify that the on-premises trust relationship is established, you should check that the following information matches.

  • The type and direction of the trust matches on-premises expectations
  • The trust secret supplied while creating the trust matches the one entered on-premises

The on-premises trust direction is complementary to the trust expectation on Managed Microsoft AD. That means that if the on-premises domain expects an inbound trust, the trust direction for the Managed Microsoft AD domain is outbound. Learn more about trust directions.

Trust no longer works

If you previously created a trust, but it no longer works, you should verify the same configurations as you would for troubleshooting creating a trust.

Additionally, if a trust is not used for 60 days or more, the trust password expires. To refresh the password, change the password for the trust on the on-premises domain, and then update the password on the Managed Microsoft AD domain.

Active Directory authentication is failing (Managed Microsoft AD-hosted accounts)

If it appears that the Active Directory authentication is failing when using Managed Microsoft AD-hosted accounts, verifying the following configurations could help.

VM is on an authorized network

To verify that the VM used to access the domain is on an authorized network, complete the following steps.

  1. Go to the Managed Service for Microsoft Active Directory page in the Cloud Console.
    Go to the Managed Service for Microsoft Active Directory page

  2. Select the name of your domain.

  3. On the Domain page, under Networks, check that the authorized network is listed.

Username and password are correct

Verify that the username and password provided to log in are correct.

Firewall rules

A deny firewall rule for egress to the domain controllers' IP address range could cause authentication to fail.

To check your firewall rules, complete the following steps:

Console

  1. Go to the Firewall rules page in the Cloud Console.
    Go to the Firewall rules page

  2. On this page, check that there is not a deny for egress configured for the domain controllers' IP address range.

gcloud

  1. Run the following gcloud tool command:

    gcloud compute firewall-rules list
    
  2. This command returns a list of the configured firewall rules. Check that there is not a deny for egress configured for the domain controllers' IP address range.

Learn more about firewall rules.

IP address

Authentication can fail if the IP address is not in the reserved CIDR range.

To check the IP address, run the following command.

nslookup domain-name

If nslookup fails or returns an IP address that is not in CIDR range, you should verify that the DNS zone exists.

To validate that the DNS zone exists, complete the following steps:

Console

  1. Go to the Cloud DNS page in the Cloud Console.
    Go to the Cloud DNS page

  2. On the Cloud DNS page, on the Zones tab, check the In use by column for the authorized network.

gcloud

  1. Run the following gcloud tool command:

    gcloud dns managed-zones list --filter=fqdn-for-domain
    

If none of the listed zones are in use by the authorized network, you should remove and re-add the authorized network.

Network peering

Authentication can fail if VPC network peering is not properly configured.

To verify peering is set up, complete the following steps:

Console

  1. Go to the VPC network peering page in the Cloud Console.
    Go to the VPC network peering page

  2. On the VPC network peering page, in the Name column, look for a peering called peering-vpc-network-name.

gcloud

  1. Run the following gcloud tool command:

    gcloud compute networks peering list --network=network
    
  2. This command returns a list of peerings. In the list, look for one called peering-vpc-network-name.

If peering-vpc-network-name is not in the list, you should remove and re-add the authorized network.

Active Directory authentication is failing (via trust)

If it appears that the Active Directory authentication is failing when using managed on-premises hosted accounts via trust, you should verify the same configurations as you would for troubleshooting creating a trust.

Additionally, verify that the account is in the Cloud Service Computer Remote Desktop Users delegated group. Learn more about delegated groups

Unable to access the domain from a manageability VM

If you are unable able to access the AD domain from a manageability VM, you should verify the same configurations as you would for troubleshooting Active Directory authentication for Managed Microsoft AD-hosted accounts.

Org policy error when creating, updating, or deleting

If you encounter an org policy error when creating, updating, or deleting resources, you may need to change an organization policy. Learn about Organization Policy Constraints.

You must be an organization policy administrator (roles/orgpolicy.policyAdmin) to update organization policies.

Define allowed APIs and services organization policy

This list constraint defines the set of services and APIs that can be enabled on a given resource. Its descendants in the resource hierarchy also inherit the constraint. If this constraint does not allow the APIs that are required for Managed Microsoft AD, you receive an error when you try to create, update, or delete resources.

To view and update the Define allowed APIs and services organization policy:

Console

  1. Go to the Organization policies page in the Google Cloud Console.
    Go to the Organization policies page
  2. On the Organization policies page, in the Name column, select the Define allowed APIs and services policy to open the Policy summary panel.
  3. In the Policy summary panel, verify that the following APIs are not denied:
    • dns.googleapis.com
    • compute.googleapis.com
  4. If you need to make a change, select Edit, update the policy, and then click Save.

gcloud

  1. Run the following gcloud tool command. Learn about the gcloud beta resource-manager org-policies describe command.

    gcloud beta resource-manager org-policies describe constraints/serviceuser.services \
        --organization=organization-id
    
  2. If the describe command shows that dns.googleapis.com or compute.googleapis.com is not allowed, run the following command to allow it. Learn about the gcloud beta resource-manager org-policies allow command.

    gcloud beta resource-manager org-policies allow constraints/serviceuser.services api-name \
        --organization=organization-id
    

Restrict VPC peering usage organization policy

This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to a given resource. If peerings are denied, you receive an error when you try to create, update, or delete resources. Learn how to view and update the Restrict VPC peering usage organization policy.

Unable to resolve on-premises resources from Google Cloud

If you are unable to resolve on-premises resources from Google Cloud, you may need to change your DNS configuration. Learn how to configure DNS forwarding to resolve queries for non-Managed AD objects in VPC networks.

Intermittent DNS lookup failures

If you are experiencing intermittent DNS lookup failures when using a highly available scheme for Cloud Interconnect or multiple VPNs, you should verify the following configurations:

  • A route for 35.199.192.0/19 exists.
  • The on-premises network allows traffic from 35.199.192.0/19 for all Cloud Interconnect connections or VPN tunnels.

Delegated administrator account password expires

If the password for the delegated administrator account has expired, you can reset the password. To avoid this problem in the future, you can disable the password expiration for the account.