DNS issue while setting Active Directory in Azure Virtual Network

I was recently setting up active directory in an Azure Virtual Network and I ran into an issue related to DNS.

MSDN has the following documentation about setting up Active Directory in Azure Virtual Network.

Guidelines for deploying Active Directory on Azure Virtual Machines


Step by step instructions are provided in this article below:

Install a new Active Directory Forest on  an Azure Virtual Network


I followed the instructions in this second article carefully. After setting up DNS I added my first virtual machine which was domain joined. My virtual machine was unable to access the internet. I tried search for a solution to this issue and found the following blog post:


When I checked my DNS forwarder setting I did have a forwarder listed. I removed this forwarder as suggested the blog post shown above. My internet access started working. However it was not reliable. There were times I was unable to access sites like microsoft.com.

I was fortunate to get help from somebody from Azure DNS team. Here is what they told me.

DCPROMO looks up the root hints by querying the upstream DNS server.  The upstream DNS server is returning all the NS records but only as many A/AAAA records as it can fit into the UDP DNS response.  That seems valid because they’re in the “Additional Section”.  For some reason DCPROMO only looks up the A/AAAA records directly if there are none provided in the response, when some are in the response it uses those and only those.  So DCPROMO picks up a subset of root hints, in my case it did not pick complete set of root hints. This is what was causing reliability issues in connecting to the internet.

Fix for this issue was simple.


What I had do was to set the DNS IP on the VNET to before creating the Active Directory and then setting it to the Domain Controller after it’s setup.  This had two effects:

1) it prevents the ADDS from creating a DNS forward rule as we shouldn’t memorize DNS IPs in the guest OS and

2) it forces ADDS to use the default set of root hints and look their IPs up directly.

Following this suggestion helped me get complete set of root hints and my internet access started working reliably.

If you are following these steps below to install a new AD Forest 


you should insert the steps listed in the “Resolution” section above after Step 2 and before Step 3(section where you install active directory).

MSDN article will be updated in near future but I thought I will share this information with the Azure community.

This entry was posted in Azure, IAAS, Virtual Machines, Windows. Bookmark the permalink.