i'm trying to create domain services by running the code below.
the code runs fine to the line containing:
New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId...
then i get:
VERBOSE: Performing the operation "Creating the resource..." on target "/subscriptions/guid/resourceGroups/aadds-resgrp-01/providers/Microsoft.AAD/DomainServices/xxx.domain.com". New-AzResource : The operation failed because resource is in the: 'Failed' state. Please check the logs for more details. At E:\__FVHS\!!!!!__Azure_AD_etc\create_Azure_Active_Directory_Domain_Services.ps1:168 char:2+ New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/r ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : CloseError: (:) [New-AzResource], InvalidOperationException+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet
here's the code:
## code is based on https://docs.microsoft.com/en-us/azure/active-directory-domain-services/powershell-create-instance
if ($PSVersionTable.PSVersion.Major -ne 5) {
write-host 'this script must be run in powershell 5.n, aborting...'
return;
}
$module_names = @("Az", "AzureAD")
# $module_names = @("AzureAD")
foreach ($module_name in $module_names) {
# if (!(Get-InstalledModule -Name $module_name)) {
# Install-Module -Name $module_name -AllowClobber -Scope AllUsers
# }
Get-InstalledModule -Name $module_name
# if (!(Get-Module -ListAvailable -Name $module_name)) {
# Import-Module -Name $module_name
# }
Get-Module -ListAvailable -Name $module_name
}
function create_Azure_Active_Directory_Domain_Services {
$ErrorActionPreference = 'Stop'
Set-Alias -Name wh -Value write-host
clear
# Change the following values to match your deployment.
$AaddsAdminUserUpn = "email"
$ResourceGroupName = "aadds-resgrp-01"
$Vnet = "aadds-vnet-01"
$Vnet_AddressPrefix = "10.0.0.0/16"
$SubnetDs1 = "aadds-subnet-DS01"
$SubnetDs1_AddressPrefix = "10.0.0.0/24"
$SubnetDs2 = "aadds-subnet-DS02"
$SubnetDs2_AddressPrefix = "10.0.1.0/24"
$AzureLocation = "eastus"
$AzureSubscriptionId = "guid"
$ManagedDomainName = "xxx.domain.com"
$AaddcGroupName = "AAD DC Administrators"
$ResourceProvider = "Microsoft.AAD"
$pwd = ConvertTo-SecureString 'pwd' -AsPlainText -Force
$pscred = New-Object System.Management.Automation.PSCredential (
"email",
$pwd
)
# Connect to Azure AD directory.
Connect-AzureAD -Credential $pscred
# Login to Azure subscription.
Connect-AzAccount -Credential $pscred
# Create the service principal for Azure AD Domain Services.
if (! $(Get-AzADServicePrincipal | ? { $_.ApplicationId -eq "2565bd9d-da50-47d4-8b85-4c97f669dc36" })) {
New-AzADServicePrincipal -ApplicationId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
wh "created ServicePrincipal 'Domain Controller Services'"
}
else {
wh "ServicePrincipal 'Domain Controller Services' already exists"
}
# Create the delegated administration group for AAD Domain Services.
if (! $(Get-AzureADGroup | ? { $_.DisplayName -eq $AaddcGroupName })) {
New-AzureADGroup -DisplayName "AAD DC Administrators" `
-Description "Delegated group to administer Azure AD Domain Services" `
-SecurityEnabled $true -MailEnabled $false `
-MailNickName "AzAdDcAdministrators"
wh "created AzureADGroup '$AaddcGroupName'"
}
else {
wh "AzureADGroup '$AaddcGroupName' already exists"
}
# First, retrieve the object ID of the newly created 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
-Filter "DisplayName eq '$AaddcGroupName'" | `
Select-Object ObjectId
# Now, retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
-Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
Select-Object ObjectId
$GroupId = ($GroupObjectId.ObjectId).toString()
$UserId = ($UserObjectId.ObjectId).toString()
# Add the user to the 'AAD DC Administrators' group.
if (!(Get-AzureADGroupMember -ObjectId $GroupId | ? { $_.UserPrincipalName -eq $AaddsAdminUserUpn } )) {
Add-AzureADGroupMember -ObjectId $GroupId -RefObjectId $UserId
}
# Register the resource provider for Azure AD Domain Services with Resource Manager.
if (! $(Get-AzResourceProvider | ? { $_.ProviderNamespace -eq $ResourceProvider })) {
Register-AzResourceProvider -ProviderNamespace $ResourceProvider
wh "registered resource provider '$ResourceProvider'"
}
else {
wh "resource provider '$ResourceProvider' was already registered"
}
# Create the resource group.
if (! $(Get-AzResourceGroup | ? { $_.ResourceGroupName -eq $ResourceGroupName })) {
New-AzResourceGroup -Name $ResourceGroupName -Location $AzureLocation
wh "created resource group '$ResourceGroupName'"
}
else {
wh "resource group '$ResourceGroupName' already exists"
}
# Create the dedicated subnet for AAD Domain Services.
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
-Name $SubnetDs1 `
-AddressPrefix $SubnetDs1_AddressPrefix
$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
-Name $SubnetDs2 `
-AddressPrefix $SubnetDs2_AddressPrefix
# Create the virtual network in which you will enable Azure AD Domain Services.
$AaddsVirtualNetwork = New-AzVirtualNetwork `
-Name $Vnet `
-ResourceGroupName $ResourceGroupName `
-Location $AzureLocation `
-AddressPrefix $Vnet_AddressPrefix `
-Subnet $AaddsSubnet, $WorkloadSubnet
# Enable Azure AD Domain Services for the directory.
New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.AAD/DomainServices/$ManagedDomainName" `
-Location $AzureLocation `
-Properties @{ `"DomainName" = $ManagedDomainName; `"SubnetId" = "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$Vnet/subnets/DomainServices"
} `
-Force -Verbose
}
create_Azure_Active_Directory_Domain_Services
i can't find any logs for this domain services object.
the only error i can find is the powershell error.
thanks for your help.
tom johnson