DNS Stub Zone (VMs in Azure)

Lutz Rahe 61 Reputation points

Hi everyone

I have a question:

We have a huge Active Directory forest (company.local.com) on premise. And also 2 additional Domain Controllers in Azure as part of this (DC-AZ1.company.local.com and DC-AZ2.company.local.com) Both of these 2 DC have the DNS role installed (Active Directory integration). The FSMO role holder DC-A is located on-premise. Also more than 10 other DCs in other on-premise locations

As a part of security restrictions, the DC are NOT allowed to go to the internet, that means for resolving Azure services (e.g. SQL managed databases) these DNS servers could not resolve this. Using a conditional forwarder for these DCs are not allowed too.

To relove this, we have installed 2x "standalone" DNS servers with a Stub Zone. These 2 DNS1 and DNS2 load their Zone information from DC-AZ1.company.local.com and DC-AZ2.company.local.com. Name resolution (nslookup) for servers in the company.local.com domain is not a problem. Also these 2 servers are allowed to go Internet. So they can finde the Azure services (e.g. the SQL managed database) as well.

We have pointed the DNS settings for our VMs in Azure to these 2 DNS servers.

Question 1:

What is now the exact way, when a new server wants to join the domain. Where is he sending the request, where the DNS record is created?

What I think is: (1. Domain join request to DNS1, 2.) Answer with correct Nameserver 3.) Domain join sent to correct Nameserver 4.) After approved, DNS entry ceated 5.) DNS entriy repicated using Active Directory to all other DNS servers)


Question 2:

We have in 50% that during the domain join (which takes a long time), we will get an error "that the network name company.local.com isnt available anymore. Sometimes a second try works, sometimes not. (in case of "not working", we are changing the DNS settings from Stub Zone DNS server to AD DNS server (in Azure), then the domain join process will work. After joining, we change back to the Stub Zone DNS server)

Is this a "runtime" problem? Or what can be the reason for this?

Would be very helpful, to clear this DNS miracle a bit

Thank you


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,731 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Leon Laude 85,216 Reputation points


    Q&A currently supports the products listed over here https://learn.microsoft.com/en-us/answers/products (more to be added later on).

    You can reach out to the experts in the dedicated "Windows Server - DNS" forum over here:

    (Please don't forget to accept helpful replies as answer)

    Best regards,

    0 comments No comments

  2. Lutz Rahe 61 Reputation points

    Hi Leon,

    Thank you for your answer.
    Funny fact is....I have tried in your recommended forum before...and a MS member (Candy LuoWicresoft(MSFT CSG)) has sent me to this forum :-)