已知问题:Azure Active Directory 域服务中的常见警报和解决方法Known issues: Common alerts and resolutions in Azure Active Directory Domain Services

作为应用程序的标识和身份验证的核心部分,Azure Active Directory 域服务 (Azure AD DS) 有时会出现问题。As a central part of identity and authentication for applications, Azure Active Directory Domain Services (Azure AD DS) sometimes has problems. 如果遇到问题,这里有一些可帮助你使服务再次运行的常见警报以及相关的故障排除步骤。If you run into issues, there are some common alerts and associated troubleshooting steps to help you get things running again. 你还可以随时发起 Azure 支持请求以获得额外的排除故障帮助。At any time, you can also open an Azure support request for additional troubleshooting assistance.

本文介绍有关 Azure AD DS 中常见警报的故障排除信息。This article provides troubleshooting information for common alerts in Azure AD DS.

AADDS100:缺少目录AADDS100: Missing directory

警报消息Alert message

与托管域关联的 Azure AD 目录可能已被删除。托管域不再处于受支持的配置中。Microsoft 无法监视、管理、修补和同步托管域。The Azure AD directory associated with your managed domain may have been deleted. The managed domain is no longer in a supported configuration. Microsoft cannot monitor, manage, patch, and synchronize your managed domain.

解决方法Resolution

出现此错误通常因为将 Azure 订阅移到新的 Azure AD 目录,并删除了与 Azure AD DS 关联的旧 Azure AD 目录。This error is usually caused when an Azure subscription is moved to a new Azure AD directory and the old Azure AD directory that's associated with Azure AD DS is deleted.

此错误无法恢复。This error is unrecoverable. 若要解决此警报,请删除现有托管域,并在新目录中重新创建。To resolve the alert, delete your existing managed domain and recreate it in your new directory. 如果在删除托管域时遇到问题,请发起 Azure 支持请求以获得额外的疑难解答帮助。If you have trouble deleting the managed domain, open an Azure support request for additional troubleshooting assistance.

AADDS101:Azure AD B2C 在此目录中运行AADDS101: Azure AD B2C is running in this directory

警报消息Alert message

无法在 Azure AD B2C 目录中启用 Azure AD 域服务。Azure AD Domain Services cannot be enabled in an Azure AD B2C Directory.

解决方法Resolution

Azure AD DS 会自动与 Azure AD 目录同步。Azure AD DS automatically synchronizes with an Azure AD directory. 如果已为 B2C 配置了 Azure AD 目录,则将无法部署和同步 Azure AD DS。If the Azure AD directory is configured for B2C, Azure AD DS can't be deployed and synchronized.

若要使用 Azure AD DS,必须使用以下步骤在非 Azure AD B2C 目录中重新创建托管域:To use Azure AD DS, you must recreate your managed domain in a non-Azure AD B2C directory using the following steps:

  1. 从现有 Azure AD 目录中删除托管域Delete the managed domain from your existing Azure AD directory.
  2. 创建不是 Azure AD B2C 目录的新 Azure AD 目录。Create a new Azure AD directory that isn't an Azure AD B2C directory.
  3. 创建替换托管域Create a replacement managed domain.

托管域的运行状况会在两小时内自动更新,并删除警报。The managed domain's health automatically updates itself within two hours and removes the alert.

AADDS103:地址在公共 IP 范围内AADDS103: Address is in a public IP range

警报消息Alert message

已启用 Azure AD 域服务的虚拟网络的 IP 地址范围在公共 IP 范围内。必须在具有专用 IP 地址范围的虚拟网络中启用 Azure AD 域服务。 此配置影响 Microsoft 监视、管理、修补和同步托管域的功能。The IP address range for the virtual network in which you have enabled Azure AD Domain Services is in a public IP range. Azure AD Domain Services must be enabled in a virtual network with a private IP address range. This configuration impacts Microsoft's ability to monitor, manage, patch, and synchronize your managed domain.

解决方法Resolution

在开始前,请确保了解 专用 IP v4 地址空间Before you begin, make sure you understand private IP v4 address spaces.

在虚拟网络内部,VM 可以向 Azure 资源发出请求,这些资源与为子网配置的资源属于同一个 IP 地址范围。Inside a virtual network, VMs can make requests to Azure resources in the same IP address range as configured for the subnet. 如果为子网配置了公共 IP 地址范围,则在虚拟网络内路由的请求可能无法到达预期的 Web 资源。If you configure a public IP address range for a subnet, requests routed within a virtual network may not reach the intended web resources. 此配置可能导致 Azure AD DS 出现不可预知的错误。This configuration can lead to unpredictable errors with Azure AD DS.

备注

如果你在 Internet 中拥有为虚拟网络配置的 IP 地址范围,则可以忽略此警报。If you own the IP address range in the internet that is configured in your virtual network, this alert can be ignored. 但是,Azure AD 域服务无法通过此配置提交到 SLA,因为它可能会导致不可预知的错误。However, Azure AD Domain Services can't commit to the SLA with this configuration since it can lead to unpredictable errors.

若要解除此警报,请删除现有托管域,然后在具有专用 IP 地址范围的虚拟网络中重新创建它。To resolve this alert, delete your existing managed domain and recreate it in a virtual network with a private IP address range. 此过程具有破坏性,因为托管域不可用,且所创建的任何自定义资源(如 OU 或服务帐户)都将丢失。This process is disruptive as the managed domain is unavailable and any custom resources you've created like OUs or service accounts are lost.

  1. 从目录中删除托管域Delete the managed domain from your directory.
  2. 若要更新虚拟网络 IP 地址范围,请在 Azure 门户中搜索并选择“虚拟网络”。To update the virtual network IP address range, search for and select Virtual network in the Azure portal. 为错误地设置了公共 IP 地址范围的 Azure AD DS 选择虚拟网络。Select the virtual network for Azure AD DS that incorrectly has a public IP address range set.
  3. 在“设置”下,选择“地址空间”。Under Settings, select Address Space.
  4. 选择并编辑现有地址范围,或添加其他地址范围,以更新地址范围。Update the address range by choosing the existing address range and editing it, or adding an additional address range. 请确保新的 IP 地址范围在专用 IP 范围内。Make sure the new IP address range is in a private IP range. 准备就绪后,请保存更改。When ready, Save the changes.
  5. 在左侧导航栏中,选择“子网”。Select Subnets in the left-hand navigation.
  6. 选择要编辑的子网,或创建其他子网。Choose the subnet you wish to edit, or create an additional subnet.
  7. 更新或指定专用 IP 地址范围,然后保存更改。Update or specify a private IP address range then Save your changes.
  8. 创建替换托管域Create a replacement managed domain. 请确保选择具有专用 IP 地址范围的已更新虚拟网络子网。Make sure you pick the updated virtual network subnet with a private IP address range.

托管域的运行状况会在两小时内自动更新,并删除警报。The managed domain's health automatically updates itself within two hours and removes the alert.

AADDS106:找不到 Azure 订阅AADDS106: Your Azure subscription is not found

警报消息Alert message

与托管域关联的 Azure 订阅已删除。Azure AD 域服务需要有效的订阅才能继续正常工作。Your Azure subscription associated with your managed domain has been deleted. Azure AD Domain Services requires an active subscription to continue functioning properly.

解决方法Resolution

Azure AD DS 要求使用有效的订阅,且该订阅不能移动到其他订阅。Azure AD DS requires an active subscription, and can't be moved to a different subscription. 如果已删除托管域与之关联的 Azure 订阅,则必须重新创建 Azure 订阅和托管域。If the Azure subscription that the managed domain was associated with is deleted, you must recreate an Azure subscription and managed domain.

  1. 创建 Azure 订阅。Create an Azure subscription.
  2. 从现有 Azure AD 目录中删除托管域Delete the managed domain from your existing Azure AD directory.
  3. 创建替换托管域Create a replacement managed domain.

AADDS107:Azure 订阅已禁用AADDS107: Your Azure subscription is disabled

警报消息Alert message

与托管域关联的 Azure 订阅处于非活动状态。Azure AD 域服务需要有效的订阅才能继续正常工作。Your Azure subscription associated with your managed domain is not active. Azure AD Domain Services requires an active subscription to continue functioning properly.

解决方法Resolution

Azure AD DS 要求使用有效的订阅。Azure AD DS requires an active subscription. 如果托管域与之关联的 Azure 订阅未处于活动状态,则必须续订以重新激活该订阅。If the Azure subscription that the managed domain was associated with isn't active, you must renew it to reactivate the subscription.

  1. 续订 Azure 订阅Renew your Azure subscription.
  2. 续订订阅后,可通过 Azure AD DS 通知重新启用托管域。Once the subscription is renewed, an Azure AD DS notification lets you re-enable the managed domain.

再次启用托管域后,托管域的运行状况会在两小时内自动更新,并删除警报。When the managed domain is enabled again, the managed domain's health automatically updates itself within two hours and removes the alert.

AADDS108:订阅已移至其他目录AADDS108: Subscription moved directories

警报消息Alert message

Azure AD 域服务使用的订阅已移到另一个目录。Azure AD 域服务需在同一目录中具有活动的订阅才能正常运行。The subscription used by Azure AD Domain Services has been moved to another directory. Azure AD Domain Services needs to have an active subscription in the same directory to function properly.

解决方法Resolution

Azure AD DS 要求使用有效的订阅,且该订阅不能移动到其他订阅。Azure AD DS requires an active subscription, and can't be moved to a different subscription. 如果已移动托管域与之关联的 Azure 订阅,则请将该订阅移回到上一个目录,或从现有目录中删除托管域,并在所选订阅中创建替换托管域If the Azure subscription that the managed domain was associated with is moved, move the subscription back to the previous directory, or delete your managed domain from the existing directory and create a replacement managed domain in the chosen subscription.

AADDS109:找不到托管域的资源AADDS109: Resources for your managed domain cannot be found

警报消息Alert message

用于托管域的资源已删除。需要此资源才能让 Azure AD 域服务正常运行。A resource that is used for your managed domain has been deleted. This resource is needed for Azure AD Domain Services to function properly.

解决方法Resolution

Azure AD DS 会创建附加资源以供其正常运行,例如公共 IP 地址、虚拟网络接口和负载均衡器。Azure AD DS creates additional resources to function properly, such as public IP addresses, virtual network interfaces, and a load balancer. 如果上述任一资源被删除,则托管域将处于不受支持的状态,并阻止对域进行管理。If any of these resources are deleted, the managed domain is in an unsupported state and prevents the domain from being managed. 有关这些资源的详细信息,请参阅 Azure AD DS 使用的网络资源For more information on these resources, see Network resources used by Azure AD DS.

上述其中一个所需资源被删除时,将生成此警报。This alert is generated when one of these required resources is deleted. 如果资源的删除时间还不到 4 小时,则 Azure 平台还有机会自动重新创建已删除的资源。If the resource was deleted less than 4 hours ago, there's a chance that the Azure platform can automatically recreate the deleted resource. 以下步骤概述了如何检查运行状况和资源删除的时间戳:The following steps outline how to check the health status and timestamp for resource deletion:

  1. 在 Azure 门户中,搜索并选择“域服务”。In the Azure portal, search for and select Domain Services. 选择你的托管域,例如 aaddscontoso.comChoose your managed domain, such as aaddscontoso.com.

  2. 在左侧导航栏中,选择“运行状况”。In the left-hand navigation, select Health.

  3. 在运行状况页上,选择 ID 为“AADDS109”的警报。In the health page, select the alert with the ID AADDS109.

  4. 警报包含一个时间戳,指出了首次发出该警报的时间。The alert has a timestamp for when it was first found. 如果该时间戳还不到 4 小时,则 Azure 平台也许能自动重新创建资源并解除警报。If that timestamp is less than 4 hours ago, the Azure platform may be able to automatically recreate the resource and resolve the alert by itself.

    如果警报超过 4 小时,则托管域将处于不可恢复状态。If the alert is more than 4 hours old, the managed domain is in an unrecoverable state. 删除托管域,然后创建替换托管域Delete the managed domain and then create a replacement managed domain.

AADDS110:与托管域关联的子网已满AADDS110: The subnet associated with your managed domain is full

警报消息Alert message

选择用于部署 Azure AD 域服务的子网已满,没有空间用于保留需要创建的其他域控制器。The subnet selected for deployment of Azure AD Domain Services is full, and does not have space for the additional domain controller that needs to be created.

解决方法Resolution

Azure AD DS 的虚拟网络子网需要足够的 IP 地址以供自动创建的资源使用。The virtual network subnet for Azure AD DS needs sufficient IP addresses for the automatically created resources. 此 IP 地址空间包括在出现维护事件时创建替换资源的需求。This IP address space includes the need to create replacement resources if there's a maintenance event. 为了最大程度地降低可用 IP 地址不足的风险,请不要将其他资源(如你自己的 VM)部署到与托管域相同的虚拟网络子网中。To minimize the risk of running out of available IP addresses, don't deploy additional resources, such as your own VMs, into the same virtual network subnet as the managed domain.

此错误无法恢复。This error is unrecoverable. 若要解除此警报,请删除现有托管域并重新创建它。To resolve the alert, delete your existing managed domain and recreate it. 如果在删除托管域时遇到问题,请发起 Azure 支持请求以获得额外的疑难解答帮助。If you have trouble deleting the managed domain, open an Azure support request for additional troubleshooting assistance.

AADDS111:服务主体未经授权AADDS111: Service principal unauthorized

警报消息Alert message

Azure AD 域服务用来为域提供服务的服务主体无权管理 Azure 订阅中的资源。该服务主体需要获取权限才能为托管域提供服务。A service principal that Azure AD Domain Services uses to service your domain is not authorized to manage resources on the Azure subscription. The service principal needs to gain permissions to service your managed domain.

解决方法Resolution

某些自动生成的服务主体可用于管理和创建托管域的资源。Some automatically generated service principals are used to manage and create resources for a managed domain. 如果更改了其中一个服务主体的访问权限,则域将无法正确管理资源。If the access permissions for one of these service principals is changed, the domain is unable to correctly manage resources. 以下步骤说明如何了解服务主体并向服务主体授予访问权限:The following steps show you how to understand and then grant access permissions to a service principal:

  1. 了解基于角色的访问控制以及如何在 Azure 门户中授予对应用程序的访问权限Read about role-based access control and how to grant access to applications in the Azure portal.
  2. 评审 ID 为“abba844e-bc0e-44b0-947a-dc74e5d09022”的服务主体所具有的访问权限,并授予在以前的某个日期拒绝的访问权限。Review the access that the service principal with the ID abba844e-bc0e-44b0-947a-dc74e5d09022 has and grant the access that was denied at an earlier date.

AADDS112:托管域中没有足够的 IP 地址AADDS112: Not enough IP address in the managed domain

警报消息Alert message

我们发现,此域中虚拟网络的子网可能没有足够的 IP 地址。Azure AD 域服务在启用它的子网中至少需要两个可用的 IP 地址。我们建议在该子网中至少提供 3-5 个备用 IP 地址。如果在该子网中部署了其他虚拟机,从而耗尽了可用的 IP 地址,或者子网中可用 IP 地址数量有限制,则可能会发生这种情况。We have identified that the subnet of the virtual network in this domain may not have enough IP addresses. Azure AD Domain Services needs at-least two available IP addresses within the subnet it is enabled in. We recommend having at-least 3-5 spare IP addresses within the subnet. This may have occurred if other virtual machines are deployed within the subnet, thus exhausting the number of available IP addresses or if there is a restriction on the number of available IP addresses in the subnet.

解决方法Resolution

Azure AD DS 的虚拟网络子网需要足够的 IP 地址以供自动创建的资源使用。The virtual network subnet for Azure AD DS needs enough IP addresses for the automatically created resources. 此 IP 地址空间包括在出现维护事件时创建替换资源的需求。This IP address space includes the need to create replacement resources if there's a maintenance event. 为了最大程度地降低可用 IP 地址不足的风险,请不要将其他资源(如你自己的 VM)部署到与托管域相同的虚拟网络子网中。To minimize the risk of running out of available IP addresses, don't deploy additional resources, such as your own VMs, into the same virtual network subnet as the managed domain.

若要解除此警报,请删除现有托管域,然后在具有足够大 IP 地址范围的虚拟网络中重新创建它。To resolve this alert, delete your existing managed domain and re-create it in a virtual network with a large enough IP address range. 此过程具有破坏性,因为托管域不可用,且所创建的任何自定义资源(如 OU 或服务帐户)都将丢失。This process is disruptive as the managed domain is unavailable and any custom resources you've created like OUs or service accounts are lost.

  1. 从目录中删除托管域Delete the managed domain from your directory.
  2. 若要更新虚拟网络 IP 地址范围,请在 Azure 门户中搜索并选择“虚拟网络”。To update the virtual network IP address range, search for and select Virtual network in the Azure portal. 为具有较小 IP 地址范围的托管域选择虚拟网络。Select the virtual network for the managed domain that has the small IP address range.
  3. 在“设置”下,选择“地址空间”。Under Settings, select Address Space.
  4. 选择并编辑现有地址范围,或添加其他地址范围,以更新地址范围。Update the address range by choosing the existing address range and editing it, or adding an additional address range. 请确保新的 IP 地址范围足够大,可满足托管域子网范围的需求。Make sure the new IP address range is large enough for the managed domain's subnet range. 准备就绪后,请保存更改。When ready, Save the changes.
  5. 在左侧导航栏中,选择“子网”。Select Subnets in the left-hand navigation.
  6. 选择要编辑的子网,或创建其他子网。Choose the subnet you wish to edit, or create an additional subnet.
  7. 更新或指定足够大的 IP 地址范围,然后保存更改。Update or specify a large enough IP address range then Save your changes.
  8. 创建替换托管域Create a replacement managed domain. 请确保选择具有足够大 IP 地址范围的已更新虚拟网络子网。Make sure you pick the updated virtual network subnet with a large enough IP address range.

托管域的运行状况会在两小时内自动更新,并删除警报。The managed domain's health automatically updates itself within two hours and removes the alert.

AADDS113:资源不可恢复AADDS113: Resources are unrecoverable

警报消息Alert message

检测到 Azure AD 域服务使用的资源处于意外状态,且无法恢复。The resources used by Azure AD Domain Services were detected in an unexpected state and cannot be recovered.

解决方法Resolution

此错误无法恢复。This error is unrecoverable. 若要解除此警报,请删除现有托管域并重新创建它。To resolve the alert, delete your existing managed domain and recreate it. 如果在删除托管域时遇到问题,请发起 Azure 支持请求以获得额外的疑难解答帮助。If you have trouble deleting the managed domain, open an Azure support request for additional troubleshooting assistance.

AADDS114:子网无效AADDS114: Subnet invalid

警报消息Alert message

为 Azure AD 域服务部署选择的子网无效,且不可用。The subnet selected for deployment of Azure AD Domain Services is invalid, and cannot be used.

解决方法Resolution

此错误无法恢复。This error is unrecoverable. 若要解除此警报,请删除现有托管域并重新创建它。To resolve the alert, delete your existing managed domain and recreate it. 如果在删除托管域时遇到问题,请发起 Azure 支持请求以获得额外的疑难解答帮助。If you have trouble deleting the managed domain, open an Azure support request for additional troubleshooting assistance.

AADDS115:资源已锁定AADDS115: Resources are locked

警报消息Alert message

由于目标范围已锁定,托管域使用的一个或多个网络资源无法运行。One or more of the network resources used by the managed domain cannot be operated on as the target scope has been locked.

解决方法Resolution

可以将资源锁应用于 Azure 资源以防止更改或删除。Resource locks can be applied to Azure resources to prevent change or deletion. 由于 Azure AD DS 是一种托管服务,因此 Azure 平台需要具有进行配置更改的能力。As Azure AD DS is a managed service, the Azure platform needs the ability to make configuration changes. 如果对某些 Azure AD DS 组件应用了资源锁,则 Azure 平台将无法执行其管理任务。If a resource lock is applied on some of the Azure AD DS components, the Azure platform can't perform its management tasks.

若要检查 Azure AD DS 组件上的资源锁并将其删除,请完成以下步骤:To check for resource locks on the Azure AD DS components and remove them, complete the following steps:

  1. 对于资源组中的每个托管域网络组件,如虚拟网络、网络接口或公共 IP 地址,请检查 Azure 门户中的操作日志。For each of the managed domain's network components in your resource group, such as virtual network, network interface, or public IP address, check the operation logs in the Azure portal. 这些操作日志应指示操作失败的原因以及应用资源锁的位置。These operation logs should indicate why an operation is failing and where a resource lock is applied.
  2. 选择应用有锁的资源,然后在“锁”下,选择并删除锁。Select the resource where a lock is applied, then under Locks, select and remove the lock(s).

AADDS116:资源不可用AADDS116: Resources are unusable

警报消息Alert message

由于策略限制,托管域使用的一个或多个网络资源无法运行。One or more of the network resources used by the managed domain cannot be operated on due to policy restriction(s).

解决方法Resolution

对可控制配置操作范围的 Azure 资源和资源组应用策略。Policies are applied to Azure resources and resource groups that control what configuration actions are allowed. 由于 Azure AD DS 是一种托管服务,因此 Azure 平台需要具有进行配置更改的能力。As Azure AD DS is a managed service, the Azure platform needs the ability to make configuration changes. 如果对某些 Azure AD DS 组件应用了策略,则 Azure 平台可能无法执行其管理任务。If a policy is applied on some of the Azure AD DS components, the Azure platform may not be able to perform its management tasks.

若要检查 Azure AD DS 组件上应用的策略并对其进行更新,请完成以下步骤:To check for applied policies on the Azure AD DS components and update them, complete the following steps:

  1. 对于资源组中的每个托管域网络组件,如虚拟网络、NIC 或公共 IP 地址,请检查 Azure 门户中的操作日志。For each of the managed domain's network components in your resource group, such as virtual network, NIC, or public IP address, check the operation logs in the Azure portal. 这些操作日志应指示操作失败的原因以及应用限制性策略的位置。These operation logs should indicate why an operation is failing and where a restrictive policy is applied.
  2. 选择应用了某个策略的资源,然后在“策略”下选择并编辑该策略,以降低其限制性。Select the resource where a policy is applied, then under Policies, select and edit the policy so it's less restrictive.

AADDS500:同步在一段时间内未完成AADDS500: Synchronization has not completed in a while

警报消息Alert message

托管域上次于 [date] 与 Azure AD 进行同步。用户可能无法登录到托管域,或者组成员身份可能未与 Azure AD 同步。The managed domain was last synchronized with Azure AD on [date]. Users may be unable to sign-in on the managed domain or group memberships may not be in sync with Azure AD.

解决方法Resolution

检查 Azure AD DS 运行状况,看看是否有任何警报指示托管域的配置存在问题。Check the Azure AD DS health for any alerts that indicate problems in the configuration of the managed domain. 网络配置问题可能会阻止与 Azure AD 的同步。Problems with the network configuration can block the synchronization from Azure AD. 如果你能够解除指示配置问题的警报,则请等待两个小时,然后返回查看同步是否已成功完成。If you're able to resolve alerts that indicate a configuration issue, wait two hours and check back to see if the synchronization has successfully completed.

以下常见原因可导致同步在托管域中停止:The following common reasons cause synchronization to stop in a managed domain:

AADDS501:已在一段时间内未执行备份AADDS501: A backup has not been taken in a while

警报消息Alert message

托管域上次于 [date] 进行备份。The managed domain was last backed up on [date].

解决方法Resolution

检查 Azure AD DS 运行状况,看看是否有警报指示托管域的配置存在问题。Check the Azure AD DS health for alerts that indicate problems in the configuration of the managed domain. 网络配置问题可能会阻止 Azure 平台成功进行备份。Problems with the network configuration can block the Azure platform from successfully taking backups. 如果你能够解除指示配置问题的警报,则请等待两个小时,然后返回查看同步是否已成功完成。If you're able to resolve alerts that indicate a configuration issue, wait two hours and check back to see if the synchronization has successfully completed.

AADDS503:由于订阅禁用而暂停AADDS503: Suspension due to disabled subscription

警报消息Alert message

由于与域关联的 Azure 订阅未处于活动状态,托管域已暂停。The managed domain is suspended because the Azure subscription associated with the domain is not active.

解决方法Resolution

警告

如果托管域挂起很长一段时间,则存在其被删除的危险。If a managed domain is suspended for an extended period of time, there's a danger of it being deleted. 请尽快查明挂起的原因。Resolve the reason for suspension as quickly as possible. 有关详细信息,请参阅了解 Azure AD DS 的挂起状态For more information, see Understand the suspended states for Azure AD DS.

Azure AD DS 要求使用有效的订阅。Azure AD DS requires an active subscription. 如果托管域与之关联的 Azure 订阅未处于活动状态,则必须续订以重新激活该订阅。If the Azure subscription that the managed domain was associated with isn't active, you must renew it to reactivate the subscription.

  1. 续订 Azure 订阅Renew your Azure subscription.
  2. 续订订阅后,可通过 Azure AD DS 通知重新启用托管域。Once the subscription is renewed, an Azure AD DS notification lets you re-enable the managed domain.

再次启用托管域后,托管域的运行状况会在两小时内自动更新,并删除警报。When the managed domain is enabled again, the managed domain's health automatically updates itself within two hours and removes the alert.

AADDS504:由于配置无效而暂停AADDS504: Suspension due to an invalid configuration

警报消息Alert message

由于配置无效,托管域已暂停。服务已很长时间无法为托管域管理、修补或更新域控制器。The managed domain is suspended due to an invalid configuration. The service has been unable to manage, patch, or update the domain controllers for your managed domain for a long time.

解决方法Resolution

警告

如果托管域挂起很长一段时间,则存在其被删除的危险。If a managed domain is suspended for an extended period of time, there's a danger of it being deleted. 请尽快查明挂起的原因。Resolve the reason for suspension as quickly as possible. 有关详细信息,请参阅了解 Azure AD DS 的挂起状态For more information, see Understand the suspended states for Azure AD DS.

检查 Azure AD DS 运行状况,看看是否有警报指示托管域的配置存在问题。Check the Azure AD DS health for alerts that indicate problems in the configuration of the managed domain. 如果你能够解除指示配置问题的警报,则请等待两个小时,然后返回查看同步是否已完成。If you're able to resolve alerts that indicate a configuration issue, wait two hours and check back to see if the synchronization has completed. 准备就绪后,请发起 Azure 支持请求以重新启用托管域。When ready, open an Azure support request to re-enable the managed domain.

后续步骤Next steps

如果仍有问题,请发起 Azure 支持请求以获得额外的疑难解答帮助。If you still have issues, open an Azure support request for additional troubleshooting assistance.