-
Title
ODM AD Domain Move Failing to Add Domain "Bad Request error" -
Description
We are working on a domain move utilizing On Demand's Domain Move feature.
I'd like to note that adding the domain manually worked without a hitch, only attempting to add it automatically through
On Demand had issues. During the migration, we are continually failing to add a child domain to the target tenant due to a Bad Request error.
It appears the request from OnDemand contains an invalid value.
I would assume according to the stack trace that one of the parameters is invalid for the API call: at Microsoft.Open.AzureAD16.Client.Configuration.<>c.<.cctor>b__47_0(String methodName, IRestResponse response) at Microsoft.Open.AzureAD16.Api.DomainApi.NewDomainWithHttpInfo(String tenantId, String authorization, String cmdletName, String clientRequestId, String apiVersion, Domain domain) at Microsoft.Open.AzureAD16.PowerShell.NewDomain.ProcessRecord() in X:\bt\9168\repo\src\dev\PowerShell.V2\AzureAD16.PowerShell\AzureAD16.PowerShell.AutoGen\API\DomainApi.cs:line 726 Relevant Info: RequestId: d00b6fff-116e- DateTimeStamp: Wed, 19 Jan 2022 14:38:26 GMT HttpStatusCode: BadRequest
System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid.
at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
at CDS.Model.DomainController.Connect(NetworkCredential credentials, Int32 port)
at CDS.Model.ActiveDirectory.GetDomainSid(DomainController dc, String rootDn, String userName, String password)
at CDS.Model.ActiveDirectory.DiscoverDCs(DomainController gcs, String configNamingContext)
----------------------------
Error,None,"Error adding target domain migration.8lbgorilla.com. [ProjectId #00 DomainCutoverId #14]","System.Management.Automation.CmdletInvocationException: Error occurred while executing NewDomain
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 600e78bd-6
DateTimeStamp: Wed, 19 Jan 2022 14:25:37 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
---> Microsoft.Open.AzureAD16.Client.ApiException: Error occurred while executing NewDomain
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 600e78
DateTimeStamp: Wed, 19 Jan 2022 14:25:37 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed -
Cause
The service account does not have Global Administrator permissions set, or they were set, but the Domain Move process was started prematurely, not allowing the permissions enough time to replicate throughout the environment. This can take up to a few hours to complete. -
Resolution
Confirm the service account has Global Administrator permissions set, if yes, allow the environment time to replicate changes.
Try the Domain Move steps in a few hours.