Share via

Entra domain services DNS

Eddie Vincent 145 Reputation points
2025-01-03T13:52:26.4+00:00

Hi All!

I am looking at using Entra domain services as a way of moving some applications from on premise to the cloud, it looks pretty straight forward and offers several benefits over sticking an AD server on a VM and linking it on premise in an IaaS type scenario.

However there are also plans to implement Azure DNS resolver as part of the network as well for resolution for both cloud and on premise, as such the following point in this link has raised some concern:

https://learn.microsoft.com/en-gb/entra/identity/domain-services/network-considerations?WT.mc_id=Portal-Microsoft_AAD_DomainServices#ports-required-for-azure-ad-domain-services

User's image

Where I am aware that the Entra DS and the on premise domain are separate (in fact this is one of the attractions to this service) will the combination setup on Entra DS and resolver cause a DNS nightmare? and if not are there any best practice setups or network designs that could be shared to help assist.

For reference the following diagram is not far from what I am looking at achieving (but with a hub-and-spoke style topology) https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-forest there is a VPN connection currently linking cloud to premise and plans to link Entra DS to site via a forest trust between both domains.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
Accepted answer
  1. Anonymous
    2025-01-06T13:32:11.9666667+00:00

    Hello @Eddie Vincent,

    Thank you for reaching out to Microsoft Q&A.

    We understand that you are trying to use Entra Domain Services for moving some of your applications from on premises to the cloud. As a part of the transition, you would like to implement Azure DNS resolver for the network for both cloud and on premises.   

    You can have the combination of Entra Domain Services and Azure DNS if it is configured carefully as there are some restrictions to Azure DNS Private Resolver. Whenever you are using Entra Domain Services, it provides its own DNS service, and the virtual network must rely on that DNS. However, this environment can be handled effectively by using DNS Forwarders and Conditional Forwarders. If there are additional namespaces that need to be resolved, you can configure conditional DNS forwarding. The on-premises DNS should be configured to forward queries for the Azure AD DS domain to the Azure AD DS DNS service. 

    By using conditional forwarding between the on-premises DNS and Azure AD DS DNS, along with DNS servers configured in your VNet, you can achieve seamless hybrid DNS resolution while ensuring that resources in both domains can communicate with each other. 

    Sharing relevant document for more information: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview 

    I hope this explanation helps to clarify the situation. If you have any further questions or need assistance with any other issues, feel free to reach out.

    Thanks & Best Regards, 

    Janaki Kota  

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.