Delegating DNS Registration for Azure AD Joined Endpoints

Introduction

In traditional Active Directory environments, Windows endpoints automatically register their IP addresses with the on-premises DNS servers. However, Azure AD joined endpoints do not have direct integration with on-prem Active Directory, meaning they cannot register themselves with on-prem DNS. This can lead to challenges with name resolution and connectivity within the corporate network.

To resolve this issue, we can delegate DNS registration to the DHCP server by using a service account. This method allows DHCP to dynamically update DNS records on behalf of the Azure AD joined endpoints, ensuring that they are correctly registered in DNS and can be resolved within the network.

Challenges

  1. Azure AD joined devices are unknown to on-prem AD: Since these endpoints are not hybrid joined, they do not have computer objects in Active Directory and cannot authenticate against on-prem DNS for dynamic updates.

  2. DHCP does not support gMSA (Group Managed Service Accounts): While gMSAs provide secure credential management, DHCP does not support them. Therefore, we need to use a standard service account with the appropriate permissions.

Solution: Delegating DNS Registration to DHCP

The solution involves:

  • Creating a dedicated service account in Active Directory.
  • Configuring DHCP to use this account for dynamic DNS updates.
  • Updating DNS permissions to allow this account to register and update records.
  • Configuring Intune settings for DNS suffixes.
  • Verifying successful DNS registration.

Create a Service Account for DHCP

  1. Open Active Directory Users and Computers (dsa.msc).
  2. Create a new user account (e.g., DynamicDNSUpdate).
  3. Set a strong password and check “Password never expires”.

Configuring DHCP to use this account for dynamic DNS updates

On your DHCP server, right click on IPv4 (or v6!) and go to Properties– Adavanced–Credentials and enter the service account details.

Updating DNS permissions to allow this account to register and update records.

To allow DHCP to perform secure dynamic updates using the service account (DynamicDNSUpdate), you must grant permissions to the service account on forward and reverse DNS zones.

 

If you have many zones, you can automate this with the following PowerShell script

# Change Service account name and the $SearchBaseLocation according to your environment 
$ServiceAccountSAMAccountName = "DynamicDNSUpdate"
$SearchBaseLocation = "<Change to match your environment>" # e.g. "CN=MicrosoftDNS,DC=DomainDnsZones,DC=lab,DC=domain,DC=co,DC=uk"
# Retrieve all DNS zones except "RootDNSServers" from the specified Active Directory path
$dnsZones = Get-ADObject -Filter 'ObjectClass -eq "dnsZone"' -SearchBase $SearchBaseLocation `
-SearchScope OneLevel | Where-Object { $_.Name -ne "RootDNSServers" } | Select-Object Name,DistinguishedName
# Loop through each DNS zone
foreach ($zone in $dnsZones) {
    $dn = $zone.DistinguishedName  # Get the distinguished name of the DNS zone
    $acl = Get-Acl -Path "AD:$dn"  # Get the current ACL (Access Control List) for the DNS zone
    # Define required permissions (Least Privilege)
    $rights = @("CreateChild", "DeleteChild", "WriteProperty", "ReadProperty")
    # Loop through each right and create an access rule for the service account
    foreach ($right in $rights) {
        $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule (
            (New-Object System.Security.Principal.NTAccount("LAB\$($ServiceAccountSAMAccountName)")),  # Define the account
            $right,  # Define the right
            "Allow"  # Set the permission to allow
        )
        $acl.AddAccessRule($ace)  # Add the access rule to the ACL
    }
    # Apply the updated ACL to the DNS zone
    Set-Acl -Path "AD:$dn" -AclObject $acl
    Write-Host "Permissions applied to: $($zone.Name)"  # Output the name of the DNS zone to which permissions were applied
}

 Otherwise, for a manual configuration, follow the steps:
Right click on each zone (forward or reverse) — properties — Security tab
Add the service account your created and grant it the following permissions
a. Create all child objects
b. Delete all child objects
c. Read all properties
d. Write all properties

    Restart both DHCP Server and DNS server services

    Restart-service DHCPServer
Restart-service DNS

    Configuring Intune settings for DNS suffixes

    In your Intune portal, intune.microsoft.com, configure a configuration profile to configure the DNS prefix on your Windows clients

    DNS Suffixes: (Device): yourdomain.com
    DNS suffix search list: Enabled

    If you have multiple domains, add them all to DNS suffixes. Assign it to your AAD joined devices. Trigger an Intune sync and confirm that the configuration profile has applied successfully.

    Verifying successful DNS registration

    On the AAD joined client, perform a lease renewal from an elevated command prompt, this will renew the DHCP IP lease which in turn registers the client in DNS

    Ipconfig /renew

    On your DNS server, your should see an A Record and PTR record created

    In the event viewer of your DNS, you should be able to see the action of creating the DNS record under Applications and Services Logs — Microsoft-Windows-DNS-Server/Audit. Event ID 519

     And other event for the Reverse Lookup Zone

     

     

     

    Delegating DNS Registration for Azure AD Joined Endpoints
    Tagged on:

    Amir Joseph Sayes

    Cloud | EUC | Virtualisation | Enterprise Mobility | DevOps | Automation | Part-Time Blogger | Fitness

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Discover more from Amir Sayes

    Subscribe now to keep reading and get access to the full archive.

    Continue reading