I attempting to deploy a Windows VM in Azure that will be running DNS for resolving a private zone in my VNet. I have created the VNet and set the IP address of the VM as the DNS server for the VNet. Since I have configured the VNet with a private DNS server, the VM gets the placeholder suffix of reddog.microsoft.com. I install DNS on the VM and create my forward and reverse zones. Since the VMs in the VNet will not be domain joined, I configure DDNS to allow unsecure updates. Outside of manually registering a record for the VM running DNS, I am unable to get it to register records. When I try to change the DNS suffix on the NIC, as soon as I click OK on the NIC properties window, my connection is killed and I am no longer able to get back into the VM. The only thing I can do at this point is to destroy it and start over. What am I missing here? Will I have to manually register records for anything I put into the VNet?
Update
From this document about Name resolution that uses your own DNS server:
When you are using Azure-provided name resolution, Azure Dynamic Host
Configuration Protocol (DHCP) provides an internal DNS suffix
(.internal.cloudapp.net) to each VM. This suffix enables hostname
resolution because the hostname records are in the
internal.cloudapp.net zone. When you are using your own name
resolution solution, this suffix is not supplied to VMs because it
interferes with other DNS architectures (like domain-joined
scenarios). Instead, Azure provides a non-functioning placeholder
(reddog.microsoft.com).
It says that your custom DNS suffix is not supplied to VMs because it interferes with other DNS architectures (like domain-joined scenarios). Moreover, Azure doesn't have the credentials to directly create records in your DNS servers. Azure leaves the primary DNS suffix blank, and you can set the suffix in the VM as the picture below:
After changing the DNS suffix, you will restart the VM, then you will see a new DNS suffix in the DNS Suffix Search List in the output of prompt commands.
Go to the DNS server, you will see the DNS records updated. Before this, make sure you have enabled the Nonsecure and secure of the Dynamic updates in the zone properties.
Related
How can we allow application workloads to manage their own DNS entries when their VMs also need to be joined to an AADDS domain (without violating the principal of least privilege)?
Background
We have the following network configuration:
A Hub VNET containing an Azure AD Domain Services (AADDS) managed domain called mydomain.co.uk. This VNET will also host a VNET Gateway, a Bastion instance and a couple of management VMs.
Multiple "environment" VNETs, all peered to the Hub, to run application workloads. These workloads all currently running on on domain-joined VMs & VMSSs that are behind both an Standard Load Balancer (for internal traffic), and an Application Gateway (for public traffic). The IP addresses of those load balancers and App Gateways need to be resolvable via DNS.
Requirements
We would like all applications to be resolvable using the same TLD domain - both internally and externally (e.g. myapp.env1.mydomain.co.uk should work internally and externally).
The Hub is created by a single pipeline running a terraform configuration that is maintained by the Platform team. The platform Team should not need to be involved when provisioning environments.
Each environment is created by its own pipeline, running terraform configurations that are maintained by the various Product Teams. The Product Teams should be able to spin up & destroy environments without any input from the Platform Team.
Problem
Public DNS resolution was easy to setup. We simply granted each environmental pipeline permission to register records in an Azure public DNS zone. The problem arose when we tried to solve internal DNS Resolution.
We tried creating a Private DNS zone for `mydomain.co.uk and linking it to the environmental VNETs. Unfortunately, the VMs in those VNETs then fail to join to the domain due to the lack of domain SRV records (these are created by default in AADDS). So it seems that AADDS requires that any VNETs containing VMs that want to join to the domain use its IP addresses for DNS resolution. This means any apps running on those VMs must send their DNS query to AADDS, not to an Azure Private DNS Zone.
We thought about giving the environment pipelines permission to create records in the AADDS DNS zone. Unfortunately, the Microsoft docs say that only users that are members of the "AAD DC Administrators" group can add/remove DNS records. This is far too much power to give to the environmental pipelines (it would allow them to delete other workloads' VMs from the domain for example).
We then tried linking the Private DNS zone to the Hub VNET, in the hope that we could configure AADDS to forward any DNS requests that it can't resolve to Azure DNS. Unfortunately, AADDS does not forward any DNS requests for mydomain.co.uk onto Azure DNS - presumably because it believes it is authoritative for that zone.
Is there another mechanism that we haven't thought of yet?
• Since, you want the app workloads running on VMs in the spoke virtual network to search or forward the DNS requests from the Azure private DNS zone to the AADDS, you can surely leverage the functionality of conditional forwarder in this regard. Thus, to use this functionality, you would need to configure a VM as a ‘Domain Controller’ for this managed domain and associate it in a subnet that is reachable to all the domain joined resources in the hub and spoke virtual network model.
To join a VM to a managed domain and configure it as a ‘Domain Controller’ for serving the full features of ADDS and DNS, kindly refer to the below link for more details: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-dns#before-you-begin
Also, to configure the conditional forwarder in AADDS joined VM configured as a DC, ensure to install DNS Server tools, and use the DNS console to manage the records in AADDS as well as follow the steps below to configure a conditional forwarder in the AADDS VM: -
a) Login to a VM and open the ‘Administrative Tools’ --> ‘DNS’ --> DNS Management Console opens --> Connect to DNS Server dialog
b) Select Conditional Forwarders, then right select and choose New Conditional Forwarder --> enter the other DNS domain such as for example, ‘contoso.com’, then enter the IP addresses of the DNS servers for that namespace as shown below: -
c) Check the box for Store this conditional forwarder in Active Directory, and replicate it as follows, then select the option for ‘All DNS servers in this domain’, as shown in the following example: -
‘Conditional forwarder should be stored in the domain, not in the forest’
d) Name resolution of the resources in other namespaces from VMs connected to the managed domain should now resolve correctly. Queries for the DNS domain configured in the conditional forwarder are passed to the relevant DNS servers (Azure private DNS zone) and from there, the Azure VMs mapped or registered in there will be forwarded the DNS requests accordingly.
Thus, in this way, if you configure AADDS to forward any DNS requests to the Azure private DNS zone with the help of conditional forwarder, you would be able to forward the DNS requests for ‘mydomain.co.uk’ to the Azure private DNS zone for further resolution.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-dns#create-conditional-forwarders
A comment on the above answer (thanks #Kartik), led me to the ultimate answer... which is that I'm trying to do something that is not recommended by Microsoft :-(
Apparently, I shouldn't be using the same name for both my AADDS managed domain and my application workloads:
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-a-managed-domain
If you create a custom domain name, take care with existing DNS namespaces. It's recommended to use a domain name separate from any existing Azure or on-premises DNS name space.
For example, if you have an existing DNS name space of contoso.com, create a managed domain with the custom domain name of aaddscontoso.com. If you need to use secure LDAP, you must register and own this custom domain name to generate the required certificates.
It seems I am going to have to:
Choose another name for my managed domain (e.g. aadds.mydomain.co.uk)
Set all VNETs to use it for DNS resolution.
Setup a DNS forwarder to an Azure Private DNS zone containing the records for my workloads (mydomain.co.uk).
So I have a VNet in Azure, which needs to resolve names to servers back in the on-premise environment. I can set the VNet to use custom DNS servers and specify our current DNS boxes Ips.
However, whenever I do that I seem to lose the ability to resolve any Azure-based names for VMs hosted in the Azure VNet.
So I added 168.63.129.16 to the list of custom DNS servers, but not much luck. I am thinking of adding 168.63.129.16 to the existing on-premise DNS boxes so it can be used to forward Azure based request to it.
Bottom line: I need to resolve names back to on-premise but keep Azure name resolution for all VMs within the VNet. I'll be also running AAD Domain Services on the same VNet (so my custom DNS server list wil need to add the 2 extra AAD DS IPs for it,
Any other ideas?
Your DNS is not able to resolve your Azure-based servers because it doesn't know about them, and if you're moving to us AAD DS then this will get worse. You will need to either join these machines to the domain (to auto-register with DNS) or manually add entries for them.
You won't be able to split your DNS between two different systems.
I'm using a template to deploy an elastic cluster and am having issues with the nodes setting up/deploying correctly when I choose my own subnet. It seems this is due to how the Virtual machines by default seem to have a DNS record for their private IP address. But In my case this isn't happening.
Azure DNS (reddog.microsoft.com) 10.0.1.4
What is this DNS server?
Where is it hosted?
Is it automatically deployed to every VPN?
Why do some machines automatically get a record entry and others not?
How can I ensure that machines get an entry?
I am currently trying to use a template to deploy Elasticsearch. If I deploy elasticsearch by creating a subnet during deployment then I get host entries on each ubuntu VM in /etc/hosts and also an A-Record for each VM in this DNS server. The deployment is successful.
If however I choose for the template to deploy in my own subnet I find that the machines don't have each other in /etc/hosts and the DNS server doesn't contain an A-Record and therefore can't resolve each other via name. Deployment therefore fails.
The template I am deploying via the Azure portal UI:
Elastic Stack - (Elasticsearch, Kibana, X-Pack)
Any help appreciated,
Thank you
based on the IP and the dns search suffix, that a custom DNS server. The would be configured as part of the virtual network properties or as part of the dns settings on the individual NIC.
Is there a way to point an Azure NIC to the records one created in an Azure DNS zone?
At present Azure DNS doesn't support private DNS zones, i.e. those only available to your vnet. Also, the DNS servers specified in the "Add DNS server" box needs to be a recursive resolver, Azure DNS is an Authoritative DNS service, i.e. it will only serve answers for the zones it hosts.
We can't add Azure DNS zone to NIC custom DNS. The custom DNS required IP address, we can add the DNS server IP address to it.
For example, we can add 8.8.8.8 to it, also we can add local DNS server IP address to it(need VPN). Or create a Azure windows VM and install DNS role on it, and add this VM ip address to it.
If you want to use Azure DNS zone to manage your records, we can map your own domain name to DNS zone, and add name servers to your domain name(add this by domain name registrar manage webpage).
The following image shows an example DNS query about Azure DNS zone:
If you want to add record to DNS zone, and you want to map your 3rd party domain name map to Azure DNS zone, we can follow those steps in that answer.
Note:
Keep in mind Azure DNS is not the domain registrar, we should buy domain name from domain registrar(like godaddy, register.com).
Update:
If you just want to use domain name in your virtual network, there is no need to buy a domain, we can use AAD DS in our virtual network. Or we can deploy a VM and install DC on it, work as on-prem.
By the way, in the same virtual network, we can ping VM's name by default.
We are trying to register the Azure VM to our own DNS Server but not able to do so.
We have already setup the VPC, Virtual Network and Gateway to connect to our DNS server.
we have also specified our DNS server within the Virtual network.
From what I understand, you're looking to register your VMs internal IPs in your DNS server. Is that correct?
If so, Windows clients do this automatically when domain joined and will send an unsecured Dynamic DNS update when not domain joined but you need to create a DNS zone for the records and allow unsecured updates, which is not the default. Linux clients need a script added to the DHCP client to send the dynamic DNS updates. I'm in the process of creating a page on Azure.com for this and can share the commands in the meantime if you're using that setup.
Gareth
(Azure DNS)