Azure AD DS synchronization issues

Problem description

After connecting the Azure network to Acreto and sending all traffic through Acreto vGateway, Azure Active Directory Domain Services managed domain fails to synchronize with Microsoft Windows Active Directory servers.

Symptom 1: Domain synchronization alerts

In Azure, you can see an alert:

Name: The managed domain has not completed synchronization with Azure AD for a long time
Severity: Critical
ID: AADDS500

Symptom 2: Logs contain something

In Azure, you can see an alert:

Name: The managed domain is experiencing a network error
Severity: Critical
ID: AADDS104

Cause

Most likely, your Azure network’s routing table has a default route (0.0.0.0/0) defined that routes all traffic through Acreto vGateway. It means that also communication required to synchronize with Azure AD DS is sent through Acreto, and is SNAT’ed (its source IP address is replaced) to Acreto Allocated IP address. Microsoft detects that synchronization traffic goes from a different source IP address than expected, and blocks that traffic. This breaks synchronization between Azure AD DS and the target server.

Solutions

Solution 1: Separate Azure AD DS virtual network from Acreto networks (recommended)

1. Deploy Azure AD DS into a separate virtual network ("ADDS virtual network")
2. Configure default route in Azure AD DS to use default Azure gateway
3. Deploy Acreto vGateway and resources connected to Acreto into another virtual network ("resources virtual network"), and peer that network to the ADDS virtual network
4. Configure routing table in the resources virtual network to push all traffic (0.0.0.0/0) via Acreto vGateway
5. In case Acreto users are authenticated using Azure AD DS, ensure that traffic from ADDS virtual network to subnet 100.64.0.0/16 is routed through resources virtual network and Acreto vGateway

See Azure virtual network design for details.

Solution 2: Define static routes on resources

1. In Azure routing table, use default value for the route to 0.0.0.0/0
2. On each resource (server) that uses Acreto, define a static default route that will go

Solution 3: Define explicit routes to send Azure AD DS traffic through the Azure gateway

Create routing configuration that will route IP addresses from Azure service tags through standard Azure gateway, while keeping default route pointing to Acreto vGateway. You can download a list of Azure IP Ranges and Service Tags – Public Cloud.

See User-defined routes for more details.

See also

Please refer to the following additional material:

1. Known issues: Common alerts and resolutions in Azure Active Directory Domain Services
2. Known issues: Network configuration alerts in Azure Active Directory Domain Services
3. Virtual network design considerations and configuration options for Azure Active Directory Domain Services