了解 Azure Active Directory 域服务中的运行状况并解决挂起的域Understand the health states and resolve suspended domains in Azure Active Directory Domain Services

当 Azure Active Directory 域服务 (Azure AD DS) 长时间无法为托管域提供服务时,它会将托管域置于挂起状态。When Azure Active Directory Domain Services (Azure AD DS) is unable to service a managed domain for a long period of time, it puts the managed domain into a suspended state. 如果托管域仍处于挂起状态,则会自动删除该域。If a managed domain remains in a suspended state, it's automatically deleted. 若要使 Azure AD DS 托管域保持正常运行并避免挂起,请尽快解决任何警报。To keep your Azure AD DS managed domain healthy and avoid suspension, resolve any alerts as quickly as you can.

本文解释了托管域挂起的原因,以及如何恢复挂起的域。This article explains why managed domains are suspended, and how to recover a suspended domain.

托管域状态概述Overview of managed domain states

在托管域的整个生命周期中,有不同的状态指示其运行状况。Through the lifecycle of a managed domain, there are different states that indicate its health. 如果托管域报告了问题,请快速解决根本原因,以防止状况继续恶化。If the managed domain reports an issue, quickly resolve the underlying cause to stop the state from continuing to degrade.

托管域在挂起过程中的状态进展

托管域可能会处于下列状态之一:A managed domain can be in one of the following states:

“正在运行”状态Running state

已正确配置且无问题的托管域处于“正在运行”状态。A managed domain that's configured correctly and without problems is in the Running state. 这是期望的托管域状态。This is the desired state for a managed domain.

期望What to expect

  • Azure 平台可以定期监视托管域的运行状况。The Azure platform can regularly monitor the health of the managed domain.
  • 托管域的域控制器会定期修补和更新。Domain controllers for the managed domain are patched and updated regularly.
  • Azure Active Directory 中的更改会定期同步到托管域。Changes from Azure Active Directory are regularly synchronized to the managed domain.
  • 托管域会定期备份。Regular backups are taken for the managed domain.

“需要注意”状态Needs Attention state

有一个或多个问题需要修复的托管域处于“需要注意”状态。A managed domain with one or more issues that need to be fixed is in the Needs attention state. 托管域的运行状况页会列出警报,并指示出现问题的位置。The health page for the managed domain lists the alerts, and indicate where there's a problem.

某些警报是暂时性的,会由 Azure 平台自动解决。Some alerts are transient and are automatically resolved by the Azure platform. 对于其他警报,你可以按照提供的解决方法步骤来解决问题。For other alerts, you can fix the issue by following the resolution steps provided. 如果有严重警报,请提交 Azure 支持请求来获取更多的排除故障帮助。It there's a critical alert, open an Azure support request for additional troubleshooting assistance.

存在受限制的网络安全组是一个警报示例。One example of an alert is when there's a restrictive network security group. 在此配置中,Azure 平台可能无法更新和监视托管域。In this configuration, the Azure platform may not be able to update and monitor the managed domain. 将生成一个警报,并且状态会变为“需要注意”。An alert is generated, and the state changes to Needs attention.

有关详细信息,请参阅如何解决托管域的警报For more information, see How to troubleshoot alerts for a managed domain.

期望What to expect

当托管域处于“需要注意”状态时,Azure 平台可能无法定期监视、修补、更新或备份数据。When a managed domain is in the Needs Attention state, the Azure platform may not be able to monitor, patch, update, or back-up data on a regular basis. 在某些情况下(例如当网络配置无效时),可能无法访问托管域的域控制器。In some cases, like an invalid network configuration, the domain controllers for the managed domain may be unreachable.

  • 托管域处于不正常状态,并且可能会停止正在进行的运行状况监视,直到警报解除。The managed domain is in an unhealthy state and ongoing health monitoring may stop until the alert is resolved.
  • 可能无法修补或更新托管域的域控制器。Domain controllers for the managed domain can't be patched or updated.
  • Azure Active Directory 中的更改可能无法同步到托管域。Changes from Azure Active Directory may not be synchronized to the managed domain.
  • 可能不会创建托管域的备份。Backups for the managed domain may not be taken.
  • 如果你解决了影响托管域的非严重警报,则运行状况应当恢复为“正在运行”状态。If you resolve non-critical alerts that are impacting the managed domain, the health should return to the Running state.
  • 当存在导致 Azure 平台无法访问域控制器的配置问题时,会触发严重警报。Critical alerts are triggered for configuration issues where the Azure platform can't reach the domain controllers. 如果这些严重警报在 15 天内未得到解决,则托管域将进入“已挂起”状态。If these critical alerts aren't resolved within 15 days, the managed domain enters the Suspended state.

“已挂起”状态Suspended state

托管域会由于下列原因之一而进入“已挂起”状态:A managed domain enters the Suspended state for one of the following reasons:

  • 一个或多个严重警报未在 15 天内得到解决。One or more critical alerts haven't been resolved in 15 days.
    • 严重警报可能由阻止访问 Azure AD DS 所需资源的错误配置引起。Critical alerts can be caused by a misconfiguration that blocks access to resources that are needed by Azure AD DS. 例如,托管域中的警报 AADDS104: 网络错误超过 15 天未解决。For example, the alert AADDS104: Network Error has been unresolved for more than 15 days in the managed domain.
  • Azure 订阅存在计费问题,或者 Azure 订阅已过期。There's a billing issue with the Azure subscription or the Azure subscription has expired.

当 Azure 平台无法管理、监视、修补或备份托管域时,托管域会被挂起。Managed domains are suspended when the Azure platform can't manage, monitor, patch, or back up the domain. 托管域停留在“已挂起”状态的时间为 15 天。A managed domain stays in a Suspended state for 15 days. 若要保持对托管域的访问,请立即解决严重警报。To maintain access to the managed domain, resolve critical alerts immediately.

期望What to expect

当托管域处于“已挂起”状态时,将出现以下行为:The following behavior is experienced when a managed domain is in the Suspended state:

  • 将取消预配托管域的域控制器,并且无法在虚拟网络中访问这些控制器。Domain controllers for the managed domain are de-provisioned and aren't reachable within the virtual network.
  • 通过 Internet 对托管域进行的安全 LDAP 访问(如已启用)停止工作。Secure LDAP access to the managed domain over the internet, if enabled, stops working.
  • 向托管域进行身份验证、登录到已加入域的 VM 或通过 LDAP/LDAPS 进行连接时出现故障。There are failures in authenticating to the managed domain, logging on to domain-joined VMs, or connecting over LDAP/LDAPS.
  • 不再备份托管域。Backups for the managed domain are no longer taken.
  • 停止与 Azure AD 同步。Synchronization with Azure AD stops.

如何知道托管域是否被挂起?How do you know if your managed domain is suspended?

Azure 门户中的“Azure AD DS 运行状况”页上会显示一个警报,指明域已挂起。You see an alert on the Azure AD DS Health page in the Azure portal that notes the domain is suspended. 域的状态也显示为“已挂起”。The state of the domain also shows Suspended.

还原挂起的域Restore a suspended domain

若要还原处于“已挂起”状态的托管域的运行状况,请完成以下步骤:To restore the health of a managed domain that's in the Suspended state, complete the following steps:

  1. 在 Azure 门户中,搜索并选择“域服务”。In the Azure portal, search for and select Domain services.
  2. 从列表中选择你的托管域(例如 aaddscontoso.com),然后选择“运行状况”。Choose your managed domain from the list, such as aaddscontoso.com, then select Health.
  3. 根据挂起原因选择警报,例如 AADDS503 或 AADDS504。Select the alert, such as AADDS503 or AADDS504, depending on the cause of suspension.
  4. 选择警报中提供的解决方法链接,按相关步骤来解决警报。Choose the resolution link that's provided in the alert and follow the steps to resolve it.

托管域只能还原到上次备份的日期。A managed domain can only be restored to the date of the last backup. 上次备份的日期显示在托管域的“运行状况”页面上。The date of your last backup is displayed on the Health page of the managed domain. 系统不会还原上次备份后发生的任何更改。Any changes that occurred after the last backup won't be restored. 托管域的备份最多存储 30 天。Backups for a managed domain are stored for up to 30 days. 超过 30 天的备份将被删除。Backups that are older than 30 days are deleted.

在你解决了托管域处于“已挂起”状态时的警报后,请提交 Azure 支持请求,以便将托管域恢复为正常运行状态。After you resolve alerts when the managed domain is in the Suspended state, open an Azure support request to return to a healthy state. 如果有 30 天内的备份,Azure 支持可以还原托管域。If there's a backup less than 30 days old, Azure support can restore the managed domain.

“已删除”状态Deleted state

停留在“已挂起”状态达 15 天的托管域将被删除。If a managed domain stays in the Suspended state for 15 days, it's deleted. 此过程不可恢复。This process is unrecoverable.

期望What to expect

当托管域进入“已删除”状态时,将出现以下行为:When a managed domain enters the Deleted state, the following behavior is seen:

  • 将删除托管域的所有资源和备份。All resources and backups for the managed domain are deleted.
  • 你不能还原托管域。You can't restore the managed domain. 必须创建替换托管域才能重用 Azure AD DS。You must create a replacement managed domain to reuse Azure AD DS.
  • 删除后,无需为托管域付费。After it's deleted, you aren't billed for the managed domain.

后续步骤Next steps

若要使托管域保持正常运行,并将其进入已挂起状态的风险降到最低,请了解如何解决托管域的警报To keep your managed domain healthy and minimize the risk of it becoming suspended, learn how to resolve alerts for your managed domain.