Domain Services: create domain service fails to create service principals

[manicminer]

When trying to create a new domain service:

PUT https://management.azure.com/subscriptions/1a6092a6-137e-4025-9a7c-ef77f76f2c02/resourceGroups/acctestRG-aadds-201014202843815354/providers/Microsoft.AAD/domainServices/acctest-hoq0t1j.onmicrosoft.com?api-version=2017-06-01

{
	"location": "westeurope",
	"properties": {
		"domainName": "acctest-hoq0t1j.onmicrosoft.com",
		"filteredSync": "Disabled",
		"subnetId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/acctestRG-aadds-201014202843815354/providers/Microsoft.Network/virtualNetworks/acctestVnet-aadds-201014202843815354/subnets/acctestSubnet-aadds-201014202843815354"
	}
}

a 201 response is received:

:status: 201
cache-control: no-cache
pragma: no-cache
content-length: 999
content-type: application/json; charset=utf-8
expires: -1
etag: W/"datetime'2020-10-14T19%3A29%3A01.3973196Z'"
x-ms-request-id: 0a125d44-c685-4542-b594-3051e1228aa4
azure-asyncoperation: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.AAD/locations/westeurope/operationResults/3181fe51-24d0-40bd-a6ab-46ae595929b5?api-version=2017-06-01
x-ms-ratelimit-remaining-subscription-writes: 1198
x-ms-correlation-request-id: 5ba47d29-3629-91a0-c3e3-1ea8d18005f6
x-ms-routing-request-id: UKWEST:20201014T192917Z:ee2675b1-2b9b-4000-a1e0-157ffd2ebd84
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
date: Wed, 14 Oct 2020 19:29:17 GMT

{
	"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/acctestRG-aadds-201014202843815354/providers/Microsoft.AAD/domainServices/acctest-hoq0t1j.onmicrosoft.com",
	"name": "acctest-hoq0t1j.onmicrosoft.com",
	"type": "Microsoft.AAD/domainServices",
	"etag": "W/\"datetime'2020-10-14T19%3A29%3A01.3973196Z'\"",
	"location": "westeurope",
	"properties": {
		"version": 1,
		"tenantId": "00000000-0000-0000-0000-000000000000",
		"domainName": "acctest-hoq0t1j.onmicrosoft.com",
		"deploymentId": "9b18d3fd-4f7a-486b-b98c-a46d7f6764b8",
		"subnetId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/acctestRG-aadds-201014202843815354/providers/Microsoft.Network/virtualNetworks/acctestVnet-aadds-201014202843815354/subnets/acctestSubnet-aadds-201014202843815354",
		"domainSecuritySettings": {
			"ntlmV1": "Enabled",
			"tlsV1": "Enabled",
			"syncNtlmPasswords": "Enabled",
			"syncKerberosPasswords": "Enabled",
			"syncOnPremPasswords": "Enabled"
		},
		"filteredSync": "Disabled",
		"sku": "Enterprise",
		"provisioningState": "Creating"
	}
}

After several retrievals of the async operation result, the following is received, and the domain service resource enters a failed state.

{
	"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.AAD/locations/westeurope/operationResults/3181fe51-24d0-40bd-a6ab-46ae595929b5",
	"name": "3181fe51-24d0-40bd-a6ab-46ae595929b5",
	"status": "Failed",
	"startTime": "0001-01-01T00:00:00Z",
	"endTime": "0001-01-01T00:00:00Z",
	"percentComplete": 0.0,
	"error": {
		"code": "InternalError",
		"message": "The service principal with appId '2565bd9d-da50-47d4-8b85-4c97f669dc36' could not be found in the Azure Active Directory tenant. Please retry the operation."
	}
}

According to the documentation, creating a new domain service is supposed to implicitly create two service principals.

It seems like this isn't happening correctly.

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adamedx.

[XavierGeerinck]

+1 any updates on this, seeing that this is a quite crucial component to have 😊 (temporarily we can ofc utilize the ARM way, but I would prefer this way)

@JohanVanneuville

[roytharpe]

+1 please provide an update on this.

[verasbr]

+1 Any update on this?

[jflieben]

+1 same issue here, I used New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36" and New-AzureADServicePrincipal -AppId "6ba9a5d4-8456-4118-b521-9c5ca10cdf84" to manually register these SPN's and confirmed they exist in my AzureAD.

Interestingly, I i delete the 'failed' domain services instance, the SPN 256* gets DELETED automatically and the error "The service principal with appId '2565bd9d-da50-47d4-8b85-4c97f669dc36' could not be found in the Azure Active Directory tenant" occurs again.

I also noticed I already had two Domain Controller SPN instances in AzureAD with different APP ID's (probably from early preview tests):

After deleting these and making sure I had an entry for both app id's, I then received a new error: "The identity of the calling application could not be found. Please retry the operation."

Finally, I re-registered the Microsoft.AAD resource provider to get rid of that error and things started working.

I would greatly prefer not having to use PS to be able to deploy AADDS through ARM.

[val3r10]

+1 This is really necessary for us

[yupwei68]

The service team has replied this should follow the steps as powershell script https://docs.microsoft.com/en-us/azure/active-directory-domain-services/powershell-create-instance#create-required-azure-ad-resources . Please have a try

[manicminer]

@yupwei Thanks for the tip. Using the latest API 2020-01-01, and with the aid of the doc you linked, I have been able to create a working resource!

[katbyte]

@manicminer - this can be closed then?

[manicminer]

@katbyte This can indeed be closed, I haven't had any more related errors