How do I resolve Route 53 private hosted zones when using an AWS Managed Microsoft AD directory?
Last updated: 2022-09-21
Resources in my AWS Directory Service for Microsoft Active Directory domain can’t resolve DNS records in my Amazon Route 53 private hosted zone. How can I resolve this issue?
By default, DNS queries for private hosted zones are resolved only by the AmazonProvidedDNS server. However, you can configure DNS forwarder settings to send requests destined for the Route 53 private hosted zone to the AmazonProvidedDNS instead.
Note: the AWS Managed Microsoft AD server won't contact the AmazonProvidedDNS server for private hosted zone domains under the following circumstances:
- The AWS Managed Microsoft AD server hosts a zone with the same Route 53 private hosted name. For example, a DNS zone named example1.com manually created on an AWS Managed Microsoft AD and Route 53 has two private hosted zones: example1.com and example2.com. The AWS Managed Microsoft AD will respond all DNS queries to example1.com authoritatively and won't forward example1.com queries to Route 53. DNS queries targeting the domain example2.com will be successfully forwarded to Route 53.
- The AWS Managed Microsoft AD domain has the same name of the Route 53 private hosted zone. For example, the AWS Managed Microsoft AD is named example1.com during its launch. A DNS zone named example1.com is automatically created on the AWS Managed Microsoft AD. If Route 53 has a private hosted zone named example1.com, then AWS Managed Microsoft AD responds all DNS queries to example1.com authoritatively. It won't forward example1.com queries to Route 53. DNS queries targeting other domains, such as example2.com, are successfully forwarded to Route 53.
- The AWS Managed Microsoft AD has a DNS zone named "." (root). For example, the AWS Managed Microsoft AD is named myexample.com during its launch, so a DNS Zone myexample.com is created automatically on AWS Managed Microsoft AD. Route 53 hosts two private hosted zones example1.com and example2.com. In this case, the AWS Managed Microsoft AD won't forward any requests to Route 53. Name resolution fails for DNS zones example1.com and example2.com and internet names such as www.amazon.com.
For more information, see DNS terminology on the IETF website.
First, install the Active Directory Domain Services and Active Directory Lightweight Directory Services Tools on a domain-joined Amazon Elastic Compute Cloud (Amazon EC2) instance.
Note: In the Features tree, be sure to select AD DS, AD LDS Tools, and DNS Server Tools.
Then, follow these steps:
- Log in to the Remote Server Administration Tools (RSAT) instance using the Administrator account.
- Open the DNS management tool from Windows Administrative Tools.
- Connect to the DNS server using the IP address of one of your Managed AD domain controllers.
- Expand DNS, open the context (right-click) menu for the domain name, and then choose Properties.
- From the Forwarders tab, edit the IP address of the forwarding servers to point to the AmazonProvidedDNS.
Note: The AmazonProvidedDNS is the second address of the VPC. For example, if the VPC CIDR is 10.0.0.0/16, then the AmazonProvidedDNS is 10.0.0.2. For more information, see Amazon DNS server.
- Repeat steps 3 to 5 entering the IP address of each additional domain controller in your Managed AD domain.
Remote Server Administration Tools (RSAT) for Windows on the Microsoft website