Administer DNS in an Azure AD Domain Services managed domain

In Azure Active Directory Domain Services (Azure AD DS), a key component is DNS (Domain Name Resolution). Azure AD DS includes a DNS server that provides name resolution for the managed domain. This DNS server includes built-in DNS records and updates for the key components that allow the service to run.

As you run your own applications and services, you may need to create DNS records for machines that aren't joined to the domain, configure virtual IP addresses for load balancers, or set up external DNS forwarders. Users who belong to the AAD DC Administrators group are granted DNS administration privileges on the Azure AD DS managed domain and can create and edit custom DNS records.

This article shows you how to install the DNS Server tools then use the DNS console to manage records.


Enable password hash synchronization to Azure AD Domain Services, before you complete the tasks in this article.

Follow the instructions below, depending on the type of users in your Azure AD directory. Complete both sets of instructions if you have a mix of cloud-only and synced user accounts in your Azure AD directory. You may not be able to carry out the following operations in case you are trying to use a B2B Guest account (example , your gmail or MSA from a different Identity provider which we allow) because we do not have the password for these users synced to managed domain as these are guest accounts in the directory. The complete information about these accounts including their passwords would be outside of Azure AD and as this information is not in Azure AD hence it does not even get synced to the managed domain.

Before you begin

To complete this article, you need the following resources and privileges:

Install DNS Server tools

To create and modify DNS, you need to install the DNS Server tools. These tools can be installed as a feature in Windows Server. For more information on how to install the administrative tools on a Windows client, see install Remote Server Administration Tools (RSAT).

  1. Sign in to your management VM. For steps on how to connect using the Azure portal, see Connect to a Windows Server VM.

  2. Server Manager should open by default when you sign in to the VM. If not, on the Start menu, select Server Manager.

  3. In the Dashboard pane of the Server Manager window, select Add Roles and Features.

  4. On the Before You Begin page of the Add Roles and Features Wizard, select Next.

  5. For the Installation Type, leave the Role-based or feature-based installation option checked and select Next.

  6. On the Server Selection page, choose the current VM from the server pool, such as, then select Next.

  7. On the Server Roles page, click Next.

  8. On the Features page, expand the Remote Server Administration Tools node, then expand the Role Administration Tools node. Select DNS Server Tools feature from the list of role administration tools.

    Choose to install the DNS Server Tools from the list of available role administration tools

  9. On the Confirmation page, select Install. It may take a minute or two to install the Group Policy Management tools.

  10. When feature installation is complete, select Close to exit the Add Roles and Features wizard.

Open the DNS management console to administer DNS

With the DNS Server tools installed, you can administer DNS records on the Azure AD DS managed domain.


To administer DNS in an Azure AD DS managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

  1. From the Start screen, select Administrative Tools. A list of available management tools is shown, including DNS installed in the previous section. Select DNS to launch the DNS Management console.

  2. In the Connect to DNS Server dialog, select The following computer, then enter the DNS domain name of the managed domain, such as

    Connect to the Azure AD DS managed domain in the DNS console

  3. The DNS Console connects to the specified Azure AD DS managed domain. Expand the Forward Lookup Zones or Reverse Lookup Zones to create your required DNS entries or edit existing records as needed.

    DNS Console - administer domain


When you manage records using the DNS Server tools, make sure that you don't delete or modify the built-in DNS records that are used by Azure AD DS. Built-in DNS records include domain DNS records, name server records, and other records used for DC location. If you modify these records, domain services are disrupted on the virtual network.

Next steps

For more information about managing DNS, see the DNS tools article on Technet.