已知问题:Azure Active Directory 域服务中的网络配置警报Known issues: Network configuration alerts in Azure Active Directory Domain Services

若要使应用程序和服务能够与 Azure Active Directory 域服务 (Azure AD DS) 托管域正确通信,必须打开特定的网络端口以允许流量流动。To let applications and services correctly communicate with an Azure Active Directory Domain Services (Azure AD DS) managed domain, specific network ports must be open to allow traffic to flow. 在 Azure 中,你可使用网络安全组控制流量的流动。In Azure, you control the flow of traffic using network security groups. 如果所需的网络安全组规则未部署到位,则 Azure AD DS 托管域的运行状况将显示警报。The health status of an Azure AD DS managed domain shows an alert if the required network security group rules aren't in place.

本文将帮助你了解和解决网络安全组配置问题的常见警报。This article helps you understand and resolve common alerts for network security group configuration issues.

警报 AADDS104:网络错误Alert AADDS104: Network error

警报消息Alert message

Microsoft 程序无法访问此托管域的域控制器。如果虚拟网络上配置的网络安全组 (NSG) 阻止访问托管域,则可能会发生这种情况。另一个可能的原因为,如果有用户定义的路由阻止来自 Internet 的传入流量。Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user-defined route that blocks incoming traffic from the internet.

无效的网络安全组配置是导致 Azure AD DS 网络错误的最常见原因。Invalid network security group rules are the most common cause of network errors for Azure AD DS. 虚拟网络的网络安全组必须允许访问特定端口和协议。The network security group for the virtual network must allow access to specific ports and protocols. 如果这些端口被阻止,Azure 平台将无法监视或更新托管域。If these ports are blocked, the Azure platform can't monitor or update the managed domain. Azure AD 目录和 Azure AD DS 之间的同步也会受到影响。The synchronization between the Azure AD directory and Azure AD DS is also impacted. 请确保这些端口处于打开状态,以避免服务中断。Make sure you keep the default ports open to avoid interruption in service.

默认安全规则Default security rules

以下默认入站和出站安全规则适用于托管域的网络安全组。The following default inbound and outbound security rules are applied to the network security group for a managed domain. 这些规则保护 Azure AD DS 的安全,并允许 Azure 平台监视、管理和更新托管域。These rules keep Azure AD DS secure and allow the Azure platform to monitor, manage, and update the managed domain.

入站安全规则Inbound security rules

优先级Priority 名称Name 端口Port 协议Protocol SourceSource 目标Destination 操作Action
301301 AllowPSRemotingAllowPSRemoting 59865986 TCPTCP AzureActiveDirectoryDomainServicesAzureActiveDirectoryDomainServices 任意Any 允许Allow
201201 AllowRDAllowRD 33893389 TCPTCP CorpNetSawCorpNetSaw 任意Any 拒绝1Deny1
6500065000 AllVnetInBoundAllVnetInBound 任意Any 任意Any VirtualNetworkVirtualNetwork VirtualNetworkVirtualNetwork 允许Allow
6500165001 AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound 任意Any 任意Any AzureLoadBalancerAzureLoadBalancer 任意Any 允许Allow
6550065500 DenyAllInBoundDenyAllInBound 任意Any 任意Any 任意Any 任意Any 拒绝Deny

1对调试可选。1Optional for debugging. 在高级故障排除需要时允许。Allow when required for advanced troubleshooting.

备注

如果配置安全 LDAP,还可使用其他规则来允许入站流量。You may also have an additional rule that allows inbound traffic if you configure secure LDAP. 此附加规则是进行正确 LDAPS 通信的必需条件。This additional rule is required for the correct LDAPS communication.

入站安全规则Outbound security rules

优先级Priority 名称Name 端口Port 协议Protocol Source 目标Destination 操作Action
6500065000 AllVnetOutBoundAllVnetOutBound 任意Any 任意Any VirtualNetworkVirtualNetwork VirtualNetworkVirtualNetwork 允许Allow
6500165001 AllowAzureLoadBalancerOutBoundAllowAzureLoadBalancerOutBound 任意Any 任意Any 任意Any InternetInternet 允许Allow
6550065500 DenyAllOutBoundDenyAllOutBound 任意Any 任意Any 任意Any 任意Any 拒绝Deny

备注

Azure AD DS 需要从虚拟网络进行不受限制的出站访问。Azure AD DS needs unrestricted outbound access from the virtual network. 我们建议不要创建任何其他规则来限制虚拟网络的出站访问。We don't recommend that you create any additional rules that restrict outbound access for the virtual network.

验证和编辑现有安全规则Verify and edit existing security rules

若要验证现有的安全规则并确保默认端口已打开,请完成以下步骤:To verify the existing security rules and make sure the default ports are open, complete the following steps:

  1. 在 Azure 门户中,搜索并选择“网络安全组”。In the Azure portal, search for and select Network security groups.

  2. 选择与托管域相关联的网络安全组,例如 AADDS-contoso.com-NSG。Choose the network security group associated with your managed domain, such as AADDS-contoso.com-NSG.

  3. “概述”页会显示现有的入站和出站安全规则。On the Overview page, the existing inbound and outbound security rules are shown.

    查看入站和出站规则,并将其与上一节中所需规则的列表进行比较。Review the inbound and outbound rules and compare to the list of required rules in the previous section. 如果需要,请选择并删除任何阻止所需流量的自定义规则。If needed, select and then delete any custom rules that block required traffic. 如果缺少任何所需的规则,请在下一节中添加规则。If any of the required rules are missing, add a rule in the next section.

    添加或删除规则以允许所需流量后,托管域的运行状况会在两小时内自动更新,并删除警报。After you add or delete rules to allow the required traffic, the managed domain's health automatically updates itself within two hours and removes the alert.

添加安全规则Add a security rule

若要添加缺少的安全规则,请完成以下步骤:To add a missing security rule, complete the following steps:

  1. 在 Azure 门户中,搜索并选择“网络安全组”。In the Azure portal, search for and select Network security groups.
  2. 选择与托管域相关联的网络安全组,例如 AADDS-contoso.com-NSG。Choose the network security group associated with your managed domain, such as AADDS-contoso.com-NSG.
  3. 在左侧面板的“设置”下,单击“入站安全规则”或“出站安全规则”,具体取决于需要添加的规则 。Under Settings in the left-hand panel, click Inbound security rules or Outbound security rules depending on which rule you need to add.
  4. 选择“添加”,然后根据端口、协议、方向等创建所需的规则。准备就绪后,选择“确定”。Select Add, then create the required rule based on the port, protocol, direction, etc. When ready, select OK.

添加安全规则并显示在列表中需要一些时间。It takes a few moments for the security rule to be added and show in the list.

后续步骤Next steps

如果仍有问题,请发起 Azure 支持请求以获得额外的疑难解答帮助。If you still have issues, open an Azure support request for additional troubleshooting assistance.