Stay organized with collectionsSave and categorize content based on your preferences.
This page shows how Managed Service for Microsoft Active Directory simplifies DNS configuration with its
seamless integration with Cloud DNS.
Seamless DNS lookup with Managed Microsoft AD
Active Directory depends heavily on DNS for discoverability of the service and
for name lookup of domain-joined network resources. But configuring DNS
can be a complex and time-consuming process, and you can't use DHCP in
Managed Microsoft AD. Managed Microsoft AD removes the need to
configure individual clients orDHCPfor Active Directory domain lookup by seamlessly integrating withCloud DNS. As a result, VMs created on
VPC networks for authorized networks are able to discover the
Active Directory domain and on-premises VMs, without requiring client-side
configuration changes on the individual VMs.
Compute Engine instances are preconfigured to use Cloud DNS for name
resolution. Cloud DNS lets you create private DNS zones
where you can specify name-to-IP mapping or forward requests for a domain
namespace to another DNS server. Cloud DNS can also be configured to point to
the DNS setting of another VPC network with DNS peering.
Managed Microsoft AD uses a private DNS zone and DNS peering to provide
seamless integration. When you make a request for instance creation or for
adding an authorized network, Managed Microsoft AD creates a private DNS zone
in the tenant project hosting the VMs running Active Directory. This private
DNS zone is provisioned to forward all requests for the Active Directory
domain's fully qualified domain name (FQDN) to DNS servers running in your
tenant project.
Then Managed Microsoft AD creates DNS peering between the authorized
network and the VPC host AD domain and DNS, forwarding all
requests for the AD domain namespace to the private DNS zone in the tenant
project.
Figure 1.DNS lookup on Google Cloud with Managed Microsoft AD
Extending DNS resolution to on-premises networks
The integration of Managed Microsoft AD with Cloud DNS also lets
on-premises resources discover Google Cloud resources joined to the
Managed Microsoft AD. To enable this,create an inbound DNS policy.
Figure 2.Extending DNS resolution to on-premises resources
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Configure DNS lookup using Cloud DNS\n\nThis page shows how Managed Service for Microsoft Active Directory simplifies DNS configuration with its\nseamless integration with Cloud DNS.\n\nSeamless DNS lookup with Managed Microsoft AD\n---------------------------------------------\n\nActive Directory depends heavily on DNS for discoverability of the service and\nfor name lookup of domain-joined network resources. But configuring DNS\ncan be a complex and time-consuming process, and you can't use DHCP in\nManaged Microsoft AD. Managed Microsoft AD removes the need to\nconfigure individual clients or\n[DHCP](https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-top)\nfor Active Directory domain lookup by seamlessly integrating with\n[Cloud DNS](/dns/docs/overview). As a result, VMs created on\nVPC networks for authorized networks are able to discover the\nActive Directory domain and on-premises VMs, without requiring client-side\nconfiguration changes on the individual VMs.\n\nCompute Engine instances are preconfigured to use Cloud DNS for name\nresolution. Cloud DNS lets you create private DNS zones\nwhere you can specify name-to-IP mapping or forward requests for a domain\nnamespace to another DNS server. Cloud DNS can also be configured to point to\nthe DNS setting of another VPC network with DNS peering.\n| **Note:** We recommend connecting to the domain controller using its domain name rather than its IP address because Managed Microsoft AD does not provide static IP addresses. Using the domain name, the Active Directory DC locator process can find the domain controller for you, even if its IP address has changed.\n\nManaged Microsoft AD uses a private DNS zone and DNS peering to provide\nseamless integration. When you make a request for instance creation or for\nadding an authorized network, Managed Microsoft AD creates a private DNS zone\nin the tenant project hosting the VMs running Active Directory. This private\nDNS zone is provisioned to forward all requests for the Active Directory\ndomain's fully qualified domain name (FQDN) to DNS servers running in your\ntenant project.\n\nThen Managed Microsoft AD creates DNS peering between the authorized\nnetwork and the VPC host AD domain and DNS, forwarding all\nrequests for the AD domain namespace to the private DNS zone in the tenant\nproject.\n\n**Figure 1.** DNS lookup on Google Cloud with Managed Microsoft AD\n\nExtending DNS resolution to on-premises networks\n------------------------------------------------\n\nThe integration of Managed Microsoft AD with Cloud DNS also lets\non-premises resources discover Google Cloud resources joined to the\nManaged Microsoft AD. To enable this, [create an inbound DNS policy](/dns/docs/policies#create-in).\n\n**Figure 2.** Extending DNS resolution to on-premises resources\n\nWhat's next\n-----------\n\n- Learn more about [DNS setup and best practices](/dns/docs/best-practices-dns)."]]
