Forum Discussion
Session host unavailable due to DomainReachable check error
Hi all,
I'm running a AVD farm with Remote Desktop hosts. Since this afternoon all my hosts show as unavailable and in the host summary under VM Status there is a failed status for the DomainReachable check.
We've tested all sorts of connectivity to the machines and all can reach the domain just fine. I can also still add new hosts to the farm with a successful domain join. However in minutes after adding the new host it will also fail the DomainReachable check.
Is there anyway to see what this check is doing and why it's failing? I can't find any details on this on the logs on the virtual machine or in log analytics.
Bas van der Kruijssen I assume that this is a validation host pool? We are seeing the same thing. The validation host pools have some new checks introduced to them including domain connectivity. Unfortunately the way this works is that the RDAgent attempts to ping all the DCs it knows about. If it cannot reach any of them it marks the machine as unavailable and drops from load.
This is really bad - the ICMP protocol is frequently blocked in corporate networks as a security measure. You will need to ensure that any NSGs you have configured allow it through. We had to do this as a temporary measure to get our boxes back. They really need to urgently review how they check domain connectivity...my machines were perfectly able to contact the domain - their check is broken.
- planetwilsonBrass Contributor
Bas van der Kruijssen I assume that this is a validation host pool? We are seeing the same thing. The validation host pools have some new checks introduced to them including domain connectivity. Unfortunately the way this works is that the RDAgent attempts to ping all the DCs it knows about. If it cannot reach any of them it marks the machine as unavailable and drops from load.
This is really bad - the ICMP protocol is frequently blocked in corporate networks as a security measure. You will need to ensure that any NSGs you have configured allow it through. We had to do this as a temporary measure to get our boxes back. They really need to urgently review how they check domain connectivity...my machines were perfectly able to contact the domain - their check is broken.
- Bas van der KruijssenCopper ContributorI was afraid of that, we already have a change in progress to allow ICMP through the firewalls.
I agree that this check is broken, checken if functionality is available by pinging a host doesn'r say anything about the domain actually being available. At least do check if LDAP or SMB (sysvol) is available.- planetwilsonBrass Contributor
Bas van der Kruijssen I have been told that it is getting rolled back soon and reviewed.