Running Active Directory Domain Services using an Azure Private DNS Zone and an Azure DNS Private Resolver, does it work?

Azure Private DNS Zones have been around for a little while after becoming GA. I’ve designed and deployed these services a few times now, mostly based on the requirement to access various Azure services (mostly PaaS) using Private Endpoints. You can create various Private DNS Zones for Private Endpoints described at https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

This is all great, however many customers I support in role as an Azure Architect face challenges relying on legacy (monolithic) applications that can’t be modernized using Azure services and many of these customers would like to close their on-premises environments (or a hosted private cloud) and leave these datacenter locations. Some of them are more or less forced to by their datacenter provider. Unfortunately, this results still a lot of ‘lift and shift’ migrations.

Managing IaaS is something I wouldn’t recommend so quickly anymore. If an opportunity arises to replace services running on VM (or even physical) by a native service, then I will try to replace that particular application/role by a native Azure service. Azure Private DNS Zones and DNS Private Resolvers are a good candidate to replace DNS servers with these services. More information on these services are available at https://learn.microsoft.com/en-us/azure/dns/private-dns-overview and https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

Although at the time of writing these services may be considered expensive, they can add great value especially when having to manage lots of DNS Zones as all these zones can use the same DNS Private Resolver. This may be rather subjective as it depends on various use cases either supported by an appropriate Azure Governance.

Setting up these Private DNS Zones give me a great vibe of BIND9. I remember I had many questions in the 70-291 Implementing, Managing, and Maintaining a MS Windows Server 2003 Network Infrastructure exam (Yes, the 2003 version of ‘the Beast’, those were the days) so it would be interesting to see of this still works and is supported.

I wouldn’t be surprised if Microsoft actually uses BIND9 under the hood for this service. So, it got me thinking: can I deploy and configure an Azure Private DNS Zone in such a way so Active Directory Domain Services (ADDS) can be used? Would I able to join an ADDS domain using such a configuration?

As I am well aware this may not the recommended approach by Microsoft as Microsoft recommends AD Integrated DNS Zones (basically running DNS on domain controllers), it doesn’t hold me back to find out.

Using this approach provides me some challenges:

• An ADDS domain generates a few GUIDs that represents the domain
• Which records do I need to add?
• You cannot create your own SOA records and a domain controller cannot generate the records needed for the domain to be resolvable by itself

I created a VNet (with a few subnets), an Azure Private DNS Zone (auto registration disabled) and an Azure DNS Private resolver as per documentation. I will display that here as it is a matter of following the tutorials and they may be subject to change over time. In configured the VNet to use the inbound IP address of the Azure DNS Private Resolver as its DNS Server. Maybe I cheat a little here, oh well…

I provisioned an Azure VM Instance running Windows Server 2019 (anything newer than 2016 would do) and I promoted it to a domain controller (DC). For this post, I use the domain name domain1.local. Maybe not the best name, but who cares?

I used the PowerShell cmdlet named Get-DnsServerResourceRecord to collect all records in the locally installed DNS Server on the DC, see screenshot below:

I need all relevant A, SRV and CNAME records. All records containing ‘@’, NS and SOA records do not need to be collected and they cannot be added in the Azure Private DNS Domain. An additional output to .csv files can be used to have all required records

It’s a bit of a tedious job, but these records need to be added. Fortunately, I can generate a .json template to have them available for future use. All I need is to change the server name and the two GUIDs. Eventually, it may look like this:

The next step is to determine if I can join a Windows machine to the domain. I provisioned another Azure VM Instance in the same VNet and see if it works:

OK, domain name populated, now let’s see if we get a prompt:

OK, this looks promising. Let’s use an account that join a computer to the domain.

Success!

Let’s restart the machine and see what we get.

Looks good to me. Now let’s check if we have a computer account in Active Directory Users and Computers.

Maybe a bit oldschool, but there we go.

So yes, we can use a combination between Azure Private DNS Zones, Azure DNS Private Resolver and Active Directory Domain Services. it may depend on your use case and governance if this approach is suitable. I may need to reach out to my Microsoft contact to determine if Microsoft supports this as I couldn’t find any relevant documentation. But that may involve some laziness and/or time constraints from my side as well…