Jul 11 2022 07:04 AM
Hi all,
I'm running a AVD farm with Remote Desktop hosts. Since this afternoon all my hosts show as unavailable and in the host summary under VM Status there is a failed status for the DomainReachable check.
We've tested all sorts of connectivity to the machines and all can reach the domain just fine. I can also still add new hosts to the farm with a successful domain join. However in minutes after adding the new host it will also fail the DomainReachable check.
Is there anyway to see what this check is doing and why it's failing? I can't find any details on this on the logs on the virtual machine or in log analytics.
Jul 12 2022 04:09 AM
Solution@Bas van der Kruijssen I assume that this is a validation host pool? We are seeing the same thing. The validation host pools have some new checks introduced to them including domain connectivity. Unfortunately the way this works is that the RDAgent attempts to ping all the DCs it knows about. If it cannot reach any of them it marks the machine as unavailable and drops from load.
This is really bad - the ICMP protocol is frequently blocked in corporate networks as a security measure. You will need to ensure that any NSGs you have configured allow it through. We had to do this as a temporary measure to get our boxes back. They really need to urgently review how they check domain connectivity...my machines were perfectly able to contact the domain - their check is broken.
Jul 12 2022 04:35 AM
Jul 12 2022 08:17 AM
@Bas van der Kruijssen I have been told that it is getting rolled back soon and reviewed.
Jul 12 2022 04:09 AM
Solution@Bas van der Kruijssen I assume that this is a validation host pool? We are seeing the same thing. The validation host pools have some new checks introduced to them including domain connectivity. Unfortunately the way this works is that the RDAgent attempts to ping all the DCs it knows about. If it cannot reach any of them it marks the machine as unavailable and drops from load.
This is really bad - the ICMP protocol is frequently blocked in corporate networks as a security measure. You will need to ensure that any NSGs you have configured allow it through. We had to do this as a temporary measure to get our boxes back. They really need to urgently review how they check domain connectivity...my machines were perfectly able to contact the domain - their check is broken.