How do I resolve Route 53 private hosted zones when I use an AWS Managed Microsoft AD directory?

Resolution

By default, only the AmazonProvidedDNS server resolves DNS queries for private hosted zones. However, you can configure DNS forwarder settings to forward requests for the Route 53 private hosted zone to the AmazonProvidedDNS server.

The AWS Managed Microsoft AD server doesn't contact the AmazonProvidedDNS server for private hosted zone domains in the following circumstances.

Same DNS zone names

The AWS Managed Microsoft AD server hosts a zone with the same name as a Route 53 private hosted zone. For example, you create a DNS zone that's named example1.com on AWS Managed Microsoft AD. Route 53 has two private hosted zones that are named example1.com and example2.com.

AWS Managed Microsoft AD authoritatively responds to all DNS queries to example1.com and doesn't forward example1.com queries to Route 53. AWS Managed Microsoft AD forwards DNS queries for example2.com to Route 53. This behavior occurs because AWS Managed Microsoft AD and all Active Directory integrated DNS servers can't forward queries for their own domain to other DNS servers.

It's a best practice to use different domain names for Route 53 private hosted zones and AWS Managed Microsoft AD. If your AWS Managed Microsoft AD zone uses example1.com, then use example2.com for your Route 53 private hosted zone.

Same domain names

The AWS Managed Microsoft AD domain name matches the Route 53 private hosted zone name. For example, at launch, AWS Managed Microsoft AD creates a DNS zone with the name example1.com. If Route 53 has a private hosted zone with the name example1.com, then AWS Managed Microsoft AD authoritatively responds to all DNS queries to example1.com. It doesn't forward example1.com queries to Route 53. AWS Managed Microsoft AD forwards DNS queries for other domains, such as example2.com, to Route 53.

DNS zone named "." (root)

AWS Managed Microsoft AD has a DNS zone that's named "." (root). For example, at launch, if you name your domain myexample.com, then AWS Managed Microsoft AD automatically creates a DNS zone that's calledmyexample.com. Route 53 hosts two private hosted zones, example1.com and example2.com.

AWS Managed Microsoft AD doesn't forward requests to Route 53, so DNS resolution fails for zones example1.com and example2.com and internet names, such as www.amazon.com.

Configure DNS forwarder settings

Prerequisite: Install the Active Directory Domain Services and Active Directory Lightweight Directory Services Tools on a domain-joined Amazon Elastic Compute Cloud (Amazon EC2) instance.

Note: In the Features tree, be sure to select AD DS, AD LDS Tools, and DNS Server Tools.

Then, complete the following steps:

1. Log in to the Remote Server Administration Tools (RSAT) instance from the Administrator account.
2. Open the DNS management tool from Windows Administrative Tools.
3. Use the IP address of one of your AWS Managed Microsoft AD domain controllers to connect to the DNS server.
4. Expand DNS, and then choose the context menu for the domain name.
5. Choose Properties.
6. On the Forwarders tab, edit the IP address of the forwarding servers to point to the AmazonProvidedDNS server.
   Note: The AmazonProvidedDNS server is the second address of the virtual private cloud (VPC). For example, if the VPC CIDR is 10.0.0.0/16, then the AmazonProvidedDNS server is 10.0.0.2. For more information, see DNS attributes for your VPC.
7. Repeat steps 3 to 5. Enter the IP address of the other domain controllers in your AWS Managed Microsoft AD domain.

Related information

Remote Server Administration Tools (RSAT) for Windows on the Microsoft website

DNS terminology on the IETF website