0

To my knowledge their is no way to join a server to AD without the server being able to resolve the AD domain via DNS. Joining requires being able to get multiple records from DNS - including SRV records. So a simple host file entry shouldn't work.

With that in mind, my question is am I correct is there no other way to join a server to AD without access to a DNS server that hosts the AD records?

The reason I ask is:

I have some servers that are in AWS that need to join to an AD domain inside a corporate network. We have VPN tunnel from AWS back to the corporate network. This domain is not advertised on a public DNS server we can reach from AWS. We do have an internal corporate DNS server with the appropriate records. Now with some networking changes on the corporate side we could reach this DNS through our VPN tunnel; however, in AWS we use the AWS DNS service with a delegated zone to resolve server to server communication within AWS and it then reaches out to our corporate public DNS server for anything it can't resolve. We also use the AWS DNS server for health checks on AWS to trigger region failovers.

If we were to point our AWS servers to our internal corporate DNS through the VPN tunnel, we would then no longer be able to resolve internally within AWS.

I only see a couple of options.

  1. Find a way to join a server to AD without using DNS, which I don't think is possible for reasons I stated previously. But if anyone knows differently, please say so.

  2. Expose the AD DNS records on our external (public) DNS.

  3. Redesign our whole DNS design of cloud and corporate environments. This option will take time and maybe it will be the long term solution. But I also need a short term solution in the meantime. Options 1 & 2 are the only short term solutions I can think of and if 1 isn't possible like I think then that leaves me with only option 2.

So do you agree option 1 isn't possible and/or do you have any other ideas that I haven't already listed.

Thanks in advance

Alex
  • 101
  • 1
  • 2
  • 3
    You have a VPN. Can you not assign the on premises DNS servers to your AWS VM's? The traffic should tranist the VPN just like any other AWS to on premises traffic. – joeqwerty Aug 27 '20 at 13:04
  • Yes it is possible. There are some issue with doing so. We use AWS DNS within AWS, so if we make the network changes needed to reach our corporate internal DNS and point servers in AWS to use it, then they would no longer be able to resolve systems internally in our AWS accounts. We could do a redesign of DNS, but that would take time. Right now I am looking for a short term solution that would allow us to join to the Domain from AWS and the only thing I can think of is to add the records to our external (public) corporate DNS or find a way to join without DNS, which I don't think is possible. – Alex Aug 27 '20 at 16:50

1 Answers1

1

It's not possible for a computer to join an AD domain withou having access to the internal DNS zone for that domain; even if domain joining could be achieved, nothing AD-related would work (including logons, GPOs, etc.) when the computer is unable to properly query AD DNS records.

In AWS we use the AWS DNS service with a delegated zone to resolve server to server communication within AWS and it then reaches out to our corporate public DNS server for anything it can't resolve

The proper solution is to have the servers in AWS use your internal DNS server, which should also contain records for the AWS servers' names (automatically created if they are domain joined, manually if they are not), so that they will be able to resolve each other's name; of course, your internal DNS server should also be able to resolve Internet names, thus it could do that for AWS servers too.

The real solution would be to create a domain controller in an AWS machine and define an Active Directory site for the AWS network, then have all AWS servers use that DC as their DNS server; with this setup, DNS queries and domain logons would not have to traverse the VPN every time and would keep working even if the VPN connection drops.

Massimo
  • 70,200
  • 57
  • 200
  • 323