Azure AD DS – Using Same Domain Name as External Domain

azureazure-active-directory-dsdomain-name-system

We have the following setup:

Office 365 on mycompany.com
AWS Route 53 as the DNS server for mycompany.com
Azure as the hosting provider

I'm creating a new set of servers on Azure and I used Azure Active Directory Domain Services so that we can log into the servers using our Office 365 credentials.

mysite.mycompany.com is set up as a CNAME record on AWS to point to mysite.northeurope.cloudapp.azure.com and there is a public IP address set up with that name in Azure which points to a public load balancer which distributes the traffic between the two servers called mysite-web1.mycompany.com and mysite-web2.mycompany.com.

The problem is that I can't access the website mysite.mycompany.com from the Azure virtual network even though I can access it externally.

I assume that this is because the Azure virtual network just uses the Azure AD servers to get the domain name and doesn't go to AWS at all. There is no server on the Azure virtual network called mysite.mycompany.com

So I have a number of questions:

Is there a way to make it work? I assume that I could just add the DNS name mysite.mycompany.com to AD DS but I'd rather not double maintain that info.
Is this set up a bad idea? Assuming that I can fix it am I just going to run into other problems using the same name for the internal and external domains.

Best Answer

This is the same issue that people face with non-Azure Active Directory Domain Services. You should not name your AD domain the same as your external website, because the DNS in your Active Directory will serve the IP addresses of your domain controllers.

This does not mean that you cannot log in with your Office 365 accounts, however. Your AD Domain Name does not need to match your UPN (User Principal Name). For example, your domain name could be corp.example.com and your domain NETBIOS name be corp but users still log in with amy.smith@example.com - because example.com is your UPN suffix.

Frankly the "correct" way out of the situation you're in right now to to tear down that Azure ADDS and start again using a different domain name. The only other option is to do a DNS delegation of mysite to point to your Route 53 name servers. That means creating a new delegation for every subdomain you need to point elsewhere.

Answer

The short answer to your specific question of listing CNAMEs is that you cannot without permission to do zone transfers (see How to list all CNAME records for a given domain?).

That said, if your company's DNS server still supports the ANY query, you can use dig to list the other records by doing:

dig +noall +answer +multiline yourdomain.yourtld any

These ... +noall +answer +multiline ... are strictly optional and are simply output formatting flags to make the output more easily human readable (see dig man page ).

Example

$ dig +noall +answer +multiline bad.horse any

Returns:

bad.horse.              7200 IN A 162.252.205.157
bad.horse.              7200 IN CAA 0 issue "letsencrypt.org"
bad.horse.              7200 IN CAA 0 iodef "mailto:abuse@sandwich.net"
bad.horse.              7200 IN MX 10 mx.sandwich.net.
bad.horse.              7200 IN NS a.sn1.us.
bad.horse.              7200 IN NS b.sn1.us.
bad.horse.              7200 IN SOA a.sn1.us. n.sn1.us. (
                                2017032202 ; serial
                                1200       ; refresh (20 minutes)
                                180        ; retry (3 minutes)
                                1209600    ; expire (2 weeks)
                                60         ; minimum (1 minute)
                                )

Caveats (RFC8482)

Note that, since around 2019, most public DNS servers have stopped answering most DNS ANY queries usefully. For background on that, see: https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/

If ANY queries do not enumerate multiple records, the only option is to request each record type (e.g. A, CNAME, or MX) individually.

Best Answer

Related Solutions

DNS Best Practices – Top Level Domain/Domain Suffix for Private Network

DNS Records – How to List All DNS Records in a Domain Using Dig

Answer

Example

Caveats (RFC8482)

Related Topic