AZ-140 ep02 | Configure Active Directory | Azure AD DNS

00:00

thanks for clicking and joining us for

00:01

episode 2 in the az140 study guide and

00:05

we're continuing to plan our wbd

00:07

architecture and today we're going to

00:09

get into

00:09

planning and configuring name resolution

00:12

for active directory

00:13

and azure active directory domain

00:15

services

00:18

[Applause]

00:20

i'm dean sefola and this is the azure

00:22

academy name resolution is where we get

00:24

it into

00:24

the dns this is the domain name system

00:28

so what is that well computers

00:30

understand ip addresses

00:31

like 20.42.6.197

00:35

but it's easier for people to remember

00:37

names

00:38

so you get bonus points if you comment

00:40

down below with the name that that ip

00:43

address i just gave you resolves to

00:45

so it's dns's job to translate names

00:47

into ips and back into names

00:50

so that computers and the rest of us can

00:51

get along dns is what allows you to use

00:54

your web browser to find

00:56

websites as well as use windows virtual

00:58

desktop and there are multiple kinds of

01:00

dns in azure now as of today when i'm

01:03

recording this video

01:04

all of your wvd session hosts need to be

01:06

domain

01:07

joined and dns is one of the most

01:10

important things that an active

01:11

directory domain does

01:13

and like everything else in a domain

01:15

it's built on trust

01:16

so a domain joined windows client will

01:19

register

01:20

its ip address with the domain

01:21

controller by using

01:23

secure dynamic dns now the domain join

01:26

process

01:27

will set the primary dns suffix of the

01:30

client

01:31

and creates and maintains that trust

01:33

relationship

01:34

and that's what gives you the fully

01:35

qualified domain name of something like

01:38

wvd wvdhost1.msazureacademy.com

01:42

the first part is the name of your

01:44

session host the second part is your

01:46

domains

01:47

dns suffix over here in the azure portal

01:50

i've got multiple

01:51

virtual networks as you can see so let's

01:53

click on one of them

01:54

and notice right up here that we have

01:56

the dns

01:58

server for this particular virtual

02:00

network which you can also see

02:01

over there on the left and we can see up

02:03

top that the dns server is currently set

02:06

as the

02:07

default of azure so what is that well

02:09

this is from the dhcp

02:12

scope that gives the vms their ip

02:14

addresses

02:15

so the default dns server that every vm

02:18

in azure gets is going to be 168.6

02:24

so this is azure's dns now as of today

02:28

you can't use this in relation to wbd

02:31

because we need our systems to be domain

02:33

joined which is going to require

02:35

custom dns and by putting these ip

02:38

addresses here that tells the azure dhcp

02:41

scope

02:41

to push these dns server ip addresses

02:44

to all of the hosts in this virtual

02:46

network so if you're using an active

02:48

directory domain controller that's

02:50

in azure you can just set these ip

02:52

addresses

02:53

in your dns and the azure side is done

02:56

there's still some things to do on our

02:58

dns server which we'll get into in a

02:59

minute

03:00

but what if your dns server happens to

03:02

be on premise so how do we bridge that

03:05

gap well

03:05

you need some kind of connectivity

03:07

either a vpn

03:09

or an express route to connect your

03:11

on-prem network

03:12

with azure and we'll get into that in

03:14

detail in a future episode but

03:16

all you have to do is just enter the ip

03:18

address here

03:19

as long as my vpn tunnel and all of the

03:22

azure routing

03:22

and gateways are all working properly

03:24

again more on that in a future episode

03:27

you'll be able to get name resolution

03:29

from your wvd session host in azure

03:32

to the network which knows now to

03:34

communicate back over to on premise

03:36

talk to your dns server and complete

03:38

name resolution

03:39

now if that sounds like going really far

03:42

down the path

03:43

instead of having a dns server in the

03:45

cloud you are exactly right and it is a

03:47

best practice to have a domain

03:49

controller in the cloud from the

03:50

perspective

03:51

of keeping your lookups name resolution

03:53

and latency for all your authentications

03:56

as short as possible but what about

03:58

azure active directory domain services

04:00

now here i have an instance of azure

04:02

active directory domain services that

04:04

i've created

04:05

and if we scroll down the page here

04:07

you'll see right over there is a

04:08

configure dns

04:10

button so this is the easy way to do it

04:12

when you have azure adds

04:14

and when you click that button it's

04:15

going to configure the virtual network

04:17

that your azure ad domain services

04:20

lives on to do exactly what we saw in

04:22

the last screen

04:23

which is configure azure with custom dns

04:26

which will point at your two

04:28

azure ad domain services domain

04:30

controllers

04:31

so i've logged on to my domain

04:33

controller and i've got my dns

04:35

server manager open i've got forward

04:37

lookup zones reverse zones and then i've

04:39

got some conditional forwarders

04:41

and that's what i want to talk about

04:42

here so what is a conditional forwarder

04:45

well it's when your dns

04:46

server doesn't know how to resolve

04:49

something for example

04:51

reddog.microsoft.com now this is one of

04:53

the dns suffixes along with the others

04:55

that are listed

04:56

there that are used by azure internally

04:58

and are not

04:59

internet registered so your dns server

05:01

won't know how to resolve those by

05:02

default so we have to

05:04

tell it so when you add a conditional

05:06

forwarder you're asking your dns server

05:09

to pass that request

05:10

onto another server so if i click on

05:13

redog.microsoft.com you can see

05:15

we've got that same azure dhcp address

05:18

here

05:19

so when your local server doesn't know

05:20

what to do you would forward that

05:22

request

05:23

onto the azure dhcp scope over your vpn

05:26

or your express route

05:28

and then azure would finish that

05:29

resolution and give you the response

05:32

now this comes in pretty handy in wvd

05:34

because notice i have

05:35

private link link.core.windows.net

05:39

and i use this in my fslogix azure files

05:42

storage configuration

05:44

to add extra security to that storage

05:46

that only my wvd systems can get to my

05:49

user profiles

05:50

and we'll cover more on that in a future

05:52

episode on fs logics and

05:54

storage one last thing for today and

05:56

that is how we can

05:57

actively use name resolution so of

06:00

course your vms are joined to your

06:02

domain

06:03

and they're going to talk to one of your

06:04

domain controllers to do all of their

06:06

lookups and name resolution but what

06:08

about your clients

06:09

let's say that you've got a user who's

06:11

sitting in an internet cafe

06:13

and you allow them to use wvd how do

06:16

they find

06:16

your instance and how do they get on

06:18

their client to see what they even have

06:20

access to well this is handled in two

06:22

ways

06:22

first is internet domain name resolution

06:25

which you do when you establish your

06:27

domain like

06:28

ms azureacademy.com i had to go to an

06:31

internet registrar

06:32

and buy that domain name and then i

06:34

could come over here to azure active

06:36

directory

06:37

and over on the left at the bottom we've

06:39

got custom domain

06:40

name and i had to add a custom domain

06:43

name and register

06:44

my azure active directory tenant to be

06:47

ms azureacademy.com

06:49

and you do that by adding the

06:50

appropriate records into your dns

06:52

registrar so that everything resolves

06:54

from out in the world

06:55

down to you but now what about those

06:57

clients i mentioned so here i've got my

06:59

iphone opened and i'll open my wvd app

07:03

and i've got nothing registered so i

07:05

want to add a new

07:06

user so i'll click to add and i'll type

07:08

in my user's email address but i can't

07:11

find anything

07:12

now you could resolve this just by

07:14

telling them to remember the

07:16

long url for the feed discovery but

07:18

that's a pain

07:19

let's solve this with dns so here i have

07:21

an azure public dns

07:23

zone and this is what i use for my

07:26

internet name resolution we need to go

07:28

and add a new record

07:29

and your name for that record should be

07:31

underscore msradc

07:34

the type of record should be a text

07:36

record and i'll leave my time to live

07:39

at one hour and now we need our value

07:41

for this record it's

07:43

where that text record resolves to and

07:45

you can grab that link directly from the

07:47

docs and i'll just post it here for our

07:49

feed discovery

07:50

and there you go our new record has been

07:52

added so all you have to wait for

07:53

is dns propagation which could take

07:56

anywhere from a couple minutes to a

07:57

couple

07:58

hours let's do this again in our private

08:01

dns on our domain controller so back in

08:03

my server manager i'll go and create a

08:05

new text record

08:06

so right click on your domains forward

08:08

lookup zone

08:09

go down to other new records and then

08:12

scroll down until you find your text

08:14

record and hit

08:15

create record and it's the same name as

08:17

before underscore msradc

08:20

and then the text value is the feed

08:22

discovery url

08:24

and then hit ok and we go back to my ios

08:27

client and then type in the user's email

08:29

address again

08:30

and now through the power of dns we can

08:32

complete that lookup

08:34

find all of the things that we have

08:35

access to and get back to work

08:38

so if this has been helpful for you go

08:39

ahead and hit the like button subscribe

08:41

if you haven't done that already

08:43

and click that notification bell because

08:45

the videos in this study guide are just

08:47

going to come out as

08:48

fast as i can do them so you want to be

08:50

sure that you're notified when that

08:52

happens

08:52

and be sure to click through to the next

08:54

video by clicking on our playlist right

08:56

over there

08:57

or you can check out the latest video at

08:59

the azure academy up top thanks for

09:01

joining us today and we'll see you in

09:03

the next episode

09:04

happy learning