The default forest recovery runbook configuration assumes that Microsoft Active Directory-integrated DNS is deployed in the environment. However, Active Directory does not require AD-integrated DNS specifically. It requires functional DNS that supports the required AD DNS records and DNS updates.
Customers using external DNS services or DNS appliances can perform Active Directory forest recovery, provided that the DNS environment is properly configured during the recovery workflow.
Supported external DNS workflow
When you configure a runbook to use an external DNS server:
-
Recovered domain controllers are automatically configured to use the specified external DNS server.
-
The runbook pauses during recovery to allow DNS records to be updated on the external DNS server.
-
After you resume the runbook, the recovery workflow validates DNS resolution and required DNS records before continuing.
This workflow supports Microsoft DNS and third-party DNS platforms that support Active Directory DNS requirements.
General requirements
When you use external DNS during Active Directory forest recovery, verify the following requirements:
-
A DNS server is available in the isolated recovery environment (IRE). This can be:
-
A replica of the production DNS appliance
-
A temporary DNS server deployed specifically for recovery
-
A Windows DNS server that is not domain-joined
-
-
Recovered domain controllers can communicate with the external DNS server.
-
The required Active Directory DNS zones exist on the external DNS server.
-
The DNS zones allow updates or manual record creation.
-
The recovered domain controllers can resolve each other using DNS.
-
DNS resolution is validated before continuing recovery operations.
Configure external DNS in the runbook
When configuring the runbook:
-
On the Runbook settings tab, in the Configuration tile, click Edit
. -
Select External DNS (Infoblox, BIND, other appliance).
-
In the External DNS server IP address, enter the IP address of the external DNS server that recovered DCs should use during recovery.
-
Click Save.
The specified DNS server IP address is applied to recovered domain controllers during the recovery workflow.
Customer actions during the external DNS pause
During recovery, the runbook pauses and prompts you to update the external DNS environment with the recovered domain controller information. Complete the following tasks before resuming the runbook:
Create or update DNS records
For each recovered domain controller:
-
Create or update the forward lookup A record so the domain controller FQDN resolves to the recovered IP address. For example,
dc1.contoso.comresolves to192.168.166.21. -
Verify that the required Active Directory DNS zones exist.
-
Verify that required AD DNS records are available, including:
-
Domain controller host (A) records
-
LDAP SRV records
-
Kerberos SRV records
-
Global Catalog SRV records, if applicable
Depending on the DNS platform configuration, some SRV records may be automatically registered through dynamic DNS updates.
-
Validate DNS resolution
From the recovered domain controller, verify DNS resolution before continuing recovery.
Example commands:
nslookup dc1.contoso.com
nslookup contoso.com
nslookup _ldap._tcp.dc._msdcs.contoso.com
Resume the runbook
Resume the runbook only after:
-
All recovered domain controllers resolve correctly
-
Required Active Directory DNS records are available
-
DNS replication or synchronization on the external DNS platform has completed
Automatic DNS validation
After the runbook resumes, forest recovery validates required Active Directory DNS records, including SRV records, before continuing recovery operations.
Validation includes:
-
Domain controller host record resolution
-
Required Active Directory SRV record resolution
-
DNS lookup verification for recovered domain controllers
If DNS validation fails, the runbook pauses or reports an error so DNS issues can be corrected before additional recovery steps proceed.
Important behavioral differences with external DNS
When using external DNS services:
-
Some DNS platforms require manual DNS record creation if dynamic DNS updates are not supported.
-
Automatic stale DNS record cleanup might not occur.
-
SRV record registration should be verified manually.
-
Forward lookup zones must exist and be writable or allow updates.
-
Reverse lookup PTR records are recommended but are not required.
Failure to ensure proper DNS configuration can prevent:
-
Domain controller discovery
-
Active Directory replication
-
FSMO role functionality
-
Global Catalog advertisement
-
Client authentication
Warning
Do not continue forest recovery until DNS resolution is confirmed operational throughout the isolated recovery environment. Improper DNS configuration can prevent Active Directory from functioning correctly after recovery.