In my previous post I made an attempt to use Azure Private DNS Zones together with Active Directory Domain Services (ADDS).
After trying it out I was quite satisfied with the result, but the execution looked a bit messy to me. This provides an opportunity for some rationalization and potentially some standardization and optimization in provisioning this solution. As I ‘cheated’ a little bit, I wanted to make sure that potential shortcuts are no longer used to allow do things ‘the right way’.
I cleaned up all relevant resources, except the VNet and the Azure DNS Private Resolver so I could start with a clean sheet. I removed the IP address of the Inbound Endpoint and reverted to the default configuration for DNS as shown below:
The next step was creating two Private DNS Zones that would match like the ones found on an ADDS Integrated DNS Zone. I used domain.local as an example like in my previous post, and I linked them to the Vnet with auto-registration disabled:
Next thing was deploying a new VM, install ADDS on it and promote it to a domain controller. I looked again at the DNS configuration as it installed a DNS server on the VM as well. This is normal behavior as no DNS Delegation is available in this scenario and it allows me to collect the records needed.
This time I decided to collect the records a bit more elegantly and a bit more manageable using two cmdlets displayed below:
These cmdlets result in two .csv files I can easily open and copy its contents to Excel for easier data processing.
OK, now for the fun part…
In my previous post I stated you can export this as an ARM template so this can be reused. However, since most of these values are fixed, using a template, or a ‘declarative’ approach, may not be the easiest way to do it. So I checked if I can use an ‘imperative’ approach with the Azure CLI. An overview of Azure CLI commands for managing Azure Private DNS Zones is available at https://learn.microsoft.com/en-us/cli/azure/network/private-dns?view=azure-cli-latest
While analyzing the records, all I need are the CLI commands to create A, SRV and CNAME records only. For the sake on convenience, the list below displays each reference:
- A: https://learn.microsoft.com/en-us/cli/azure/network/private-dns/record-set/a?view=azure-cli-latest#az-network-private-dns-record-set-a-add-record
- SRV: https://learn.microsoft.com/en-us/cli/azure/network/private-dns/record-set/srv?view=azure-cli-latest#az-network-private-dns-record-set-srv-add-record
- CNAME: https://learn.microsoft.com/en-us/cli/azure/network/private-dns/record-set/a?view=azure-cli-latest#az-network-private-dns-record-set-a-add-record
NOTE: The CNAME record may be a bit tricky as the link would suggest a CNAME needs to be created before setting it. Fortunately, the documentation states a record will be created if it doesn’t exist
These commands work well in a Bash session. Bash supports using variables making fixed values pretty easy and keep the set of commands clean. After going through the records collected, I came up with this set of commands to have all required created:
#
# domain1.local records
#
MyResourceGroup=domain1.local
Zone=domain1.local
Hostname=dc01.domain1.local
IPAddress=172.16.0.4
ComputerName=dc01
#
# A records
#
az network private-dns record-set a add-record -g $MyResourceGroup -z $Zone -n $ComputerName -a $IPAddress
az network private-dns record-set a add-record -g $MyResourceGroup -z $Zone -n DomainDnsZones -a $IPAddress
az network private-dns record-set a add-record -g $MyResourceGroup -z $Zone -n ForestDnsZones -a $IPAddress
#
# SRV records
#
# gc
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _gc._tcp -t $Hostname -r 3268 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _gc._tcp.Default-First-Site-Name._sites -t $Hostname -r 3268 -p 0 -w 100
# kerberos
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _kerberos._tcp -t $Hostname -r 88 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _kerberos._tcp.Default-First-Site-Name._sites -t $Hostname -r 88 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _kerberos._udp -t $Hostname -r 88 -p 0 -w 100
# kpasswd
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _kpasswd._tcp -t $Hostname -r 464 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _kpasswd._udp -t $Hostname -r 464 -p 0 -w 100
# ldap
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp -t $Hostname -r 389 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.Default-First-Site-Name._sites -t $Hostname -r 389 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones -t $Hostname -r 389 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones -t $Hostname -r 389 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.DomainDnsZones -t $Hostname -r 389 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.ForestDnsZones -t $Hostname -r 389 -p 0 -w 100
#
# _msdcs.domain1.local records
#
MyResourceGroup=domain1.local
Zone=_msdcs.domain1.local
Hostname=dc01.domain1.local
IPAddress=172.16.0.4
SiteGUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
DomainGUID=_ldap._tcp.XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.domains
#
# CNAME records
#
az network private-dns record-set cname set-record -g $MyResourceGroup -z $Zone -n $SiteGUID -c $Hostname
#
# A records
#
az network private-dns record-set a add-record -g $MyResourceGroup -z $Zone -n gc -a $IPAddress
#
# srv records
#
# gc
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.Default-First-Site-Name._sites.gc -t $Hostname -r 3268 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.gc -t $Hostname -r 3268 -p 0 -w 100
# kerberos
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _kerberos._tcp.dc -t $Hostname -r 88 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _kerberos._tcp.Default-First-Site-Name._sites.dc -t $Hostname -r 88 -p 0 -w 100
# ldap
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n $DomainGUID -t $Hostname -r 389 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.dc -t $Hostname -r 389 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.Default-First-Site-Name._sites.dc -t $Hostname -r 389 -p 0 -w 100
az network private-dns record-set srv add-record -g $MyResourceGroup -z $Zone -n _ldap._tcp.pdc -t $Hostname -r 389 -p 0 -w 100
Running these commands result into having those records created pretty quickly as can be seen below:
and
I chose to sort the commands on record types and port numbers to keep it a bit readable.
Afterwards, I created a second VM to see if I can join that machine to the domain. Those steps are the same as displayed in the previous post and that went successfully.
So, there it is. A more rationalized, standardized and optimized approach to use Azure Private DNS Zones together with ADDS. Keep in mind that once more machines are promoted to a domain controller, additional records need to be created as well. However, that can be done using the required set of commands already collected and modify them as needed using the variables set in each part of the set of commands.
Hope this helps!
Marc Westerink's blog 