In a hybrid environment, when configuring a new azure domain controller in an existing domain, where should you set the dns server setting

Question

In a hybrid environment, when configuring a new azure domain controller in an existing domain, where should you set the dns server setting

Maria Shah 0

Setting up a new domain controller in Azure in an existing environment. When setting server settings you should set dns to all other domain controllers in the environment and loopback IP as secondary DNS server. Should you also configure the VM's Azure dns to custom and add the loopback IP?

Mohamed Javeed Thettilayil 10 Reputation points

2024-01-13T09:57:34.2066667+00:00
Using Loopback IP as DNS for Domain Controller NIC is recommended but not as DC's primary DNS (Ref: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ff807362(v=ws.10))

DNS setting can be implemented on Azure VMs either directly on the VM NIC or via custom DNS setting on the VNET.

Custom DNS setting on the VNET will affect all VMs hosted in the VNET. (unless you dedicate a VNET for the DCs)

So if we were to use loopback in the VNET custom DNS setting, and if you have a member server in the same VNET, this will lead to a loopback on the member server which will be an incorrect config.

Hence best to not use the loopback on the custom DNS of the VNET, but use the loopback as the second or third DNS on the DC's NIC.

Not an office doc and I am not the author of this, but this might be helpful: https://azurescene.com/2020/04/17/how-to-deploy-a-domain-controller-in-microsoft-azure/
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-01-25T20:18:00.1+00:00

@Maria Shah
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

2 answers

Your answer

Mohamed Javeed Thettilayil 10 Reputation points

2024-01-13T09:57:34.2066667+00:00

Using Loopback IP as DNS for Domain Controller NIC is recommended but not as DC's primary DNS (Ref: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ff807362(v=ws.10))

DNS setting can be implemented on Azure VMs either directly on the VM NIC or via custom DNS setting on the VNET.

Custom DNS setting on the VNET will affect all VMs hosted in the VNET. (unless you dedicate a VNET for the DCs)

So if we were to use loopback in the VNET custom DNS setting, and if you have a member server in the same VNET, this will lead to a loopback on the member server which will be an incorrect config.

Hence best to not use the loopback on the custom DNS of the VNET, but use the loopback as the second or third DNS on the DC's NIC.

Not an office doc and I am not the author of this, but this might be helpful: https://azurescene.com/2020/04/17/how-to-deploy-a-domain-controller-in-microsoft-azure/
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-01-25T20:18:00.1+00:00

@Maria Shah
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

JimmySalian-2011 42,511

Hi Maria,

Best practice is the VMs or the App Servers should always point to the Domain Controllers and they are the DNS servers so no need to add loopback IP address as they will not resolve records for the app or server.

Hope this helps.

JS

== Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

Answer 2

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Moderator

Hello @Maria Shah , regardless of being on-premise or in Azure, Active Directory VMs should target AD DNS servers (DCs or not) located in the same network but not the loopback address.

For other scenarios take a look at:

Best practices for DNS client settings in Windows Server (Thanks for providing this one!)
Name resolution for resources in Azure virtual networks
DNS and Active Directory
What is Azure DNS Private Resolver?

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Maria Shah 0 Reputation points

2024-01-13T00:30:52.1766667+00:00

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/best-practices-for-dns-client-settings
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2024-01-13T00:39:33.56+00:00

Thanks @Maria Shah for the link. I've included it in my answer!
Maria Shah 0 Reputation points

2024-01-13T00:42:44.62+00:00

Within the article it explains the benefits of using loopback on a domain controller with dns. Note Only a failure to respond will cause the DNS client to switch Preferred DNS servers; receiving an authoritative but incorrect response does not cause the DNS client to try another server. As a result, configuring a Domain Controller with itself and another DNS server as Preferred and Alternate servers helps to ensure that a response is received, but it does not guarantee accuracy of that response. DNS record update failures on either of the servers may result in an inconsistent name resolution experience.
Maria Shah 0 Reputation points

2024-01-13T01:04:23.36+00:00

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/best-practices-for-dns-client-settings. Note Only a failure to respond will cause the DNS client to switch Preferred DNS servers; receiving an authoritative but incorrect response does not cause the DNS client to try another server. As a result, configuring a Domain Controller with itself and another DNS server as Preferred and Alternate servers helps to ensure that a response is received, but it does not guarantee accuracy of that response. DNS record update failures on either of the servers may result in an inconsistent name resolution experience.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2024-01-15T23:58:19.67+00:00

Thanks again fo sharing that Maria. Let us know if you need additional assistance. If my answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution

Share via

In a hybrid environment, when configuring a new azure domain controller in an existing domain, where should you set the dns server setting

2 answers

Your answer