AD DS Auth for Azure File Shares / DNS Configuration Question

Copper Contributor

Hi all, I'm setting up our environment to "enable AD DS authentication for your Azure file shares" which was just recently offered in Azure. There are couple things that you have to do to get this work and one of them is to 'Configure DNS forwarding for Azure Files". The link to do this is: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-networking-dns

As part of the setup you have to use some commands in the Azure File Hybrid PowerShell module. One of these commands is "New-AzDnsForwarder". Based on the doc, it seems that this command will (1) create 2 DNS servers in your Azure subscription and then (2) will create a Conditional Forwarder on your on-premises DNS servers for the core.windows.net domain.

I understand what needs to be done to configure DNS for AD DS authentication to work, however, I question what the New-AzDnsForwarder command does to your on-prem DNS servers. Questions like: (1) How does the command figure out which DNS servers that are in my on-prem environment (DNS servers exist on all of the internal domain controllers and there are many). (2) How does the command select which DNS server to add the Conditional Forwarder configuration to? (3) Does it configure the Conditional Forwarder on one DNS server or all of them?

I'm skeptical to run this command until I know a little bit more of what it does to my on-prem environment.

Does anybody have any detailed information on what the New-AzDnsForwarder command actually does to your Active Directory architecture?

Any feedback would be much appreciated.

5 Replies

@J_Bush 

 

I am actually wondering this aswell, have you ever managed to find out what this exactly does? Can't find any in-depth manual about what all those things actually do..

@J_Bush 

 

Hi 

 

It will apply forwarders on all on premise DNS servers if you don't specify the  OnPremDnsHostNames

parameter. 

OnPremDnsHostNamesHashSet<string>A manually specified list of on-premises DNS host names to create forwarders on. This parameter is useful when you do not want to apply forwarders on all on-premises DNS servers, such as when you have a range of clients with manually specified DNS names.

@DP 

Hi  

It will apply forwarders on all on premise DNS servers if you don't specify the  OnPremDnsHostNames

parameter. 

OnPremDnsHostNamesHashSet<string>A manually specified list of on-premises DNS host names to create forwarders on. This parameter is useful when you do not want to apply forwarders on all on-premises DNS servers, such as when you have a range of clients with manually specified DNS names.

@ibnmbodji 

 

So if I am correct you run the "New-AzDnsForwarder" from within your Azure DNS server, where you specify your "OnPremDnsHostNames". Am I saying that correct?

 

The only point I am sceptical about is does the "NewAzDnsForwarder" command also spawn new Azure DNS servers or am I seeing that wrong?

 

Thanks for your answer.

@DP 

Hi

You can run it everywhere  with the right powershell module and the right credentials for your subscription . Yes you're right it's also  mentionned in the documentation : 

 

By default, New-AzDnsForwarder deploys two DNS servers in your Azure virtual network, in an Availability Set, to ensure redundancy. This number may be modified as desired.

By default, the DNS servers will be deployed into the same resource group as the virtual network.

 

The doc i'm referring to 

Configuring DNS forwarding for Azure Files | Microsoft Docs