Azure AD Connect – AAD Custom Domain & Azure DNS

This post is part of a series, for the series contents see:
https://irankon.wordpress.com/post-lists/azure-ad-connect/

To setup a custom domain in Azure AD there were a couple of basic things I needed to get out of the way first:

  1. I needed to own a domain to add
  2. And, I needed somewhere to host that domain

Since this is all about Azure then the solution to point two was easy: I decided to host my domain in Azure DNS.  As an added bonus it’s nice and cheap, literally pence per month.

Add a Zone to Azure DNS

Adding a domain into Azure DNS is a simple one-liner (you need to specify a resource group so I stuck it into my hub resource group from the Azure IaaS Lab series):

#Login to Resource Manager
Login-AzureRmAccount

$RGName = "hub-rg"
New-AzureRmDnsZone -Name irankon.tk -ResourceGroupName $RGName

Then, so that I knew the correct nameservers to tell my domain registrar I ran this simple “get” cmdlet:

$RGName = "hub-rg"
Get-AzureRmDnsZone -Name irankon.tk -ResourceGroupName $RGName

The output of this command gave me the following nameservers to use:

Azure Custom Domain DNS Servers

Setup a Free Domain

Buying your own domain name is generally cheap enough, especially if you stay away from .com domains and choose one of the more obscure suffixes.  But no matter how cheap it is, I’m cheaper!  This is a test lab so I’ve got no interest in using my hard earned cash for it which lead me to www.freenom.com.

It turns out that there are a few countries out there that allow people and small businesses to register domain names with their country code for free and sites like freenom.com can facilitate that.  I decided to go for irankon.tk and benefit from the kindness of the good people of Tokelau in the South Pacific (see here for details).

First up I went to good old outlook.com and set myself up with a free test account:

AAD Create Email

Then, using that account, I registered with freenom to set myself up with irankon.tk:

Freenom Sign-up

Once I’d completed the registration process the next step was to tell the registrar (freenom) that I wanted to host that zone from Azure DNS by specifying the name servers I got from my “get” cmdlet previously:

Freenom Nameservers

And that was all that was needed.  It took about half an hour for everything to update and the SOA record to reflect what I wanted, but it got there eventually and I was able to check with a simple nslookup:

Freenom SOA Check

Verifying My Azure AD Custom Domain

In the previous post, when I added my custom domain to Azure AD, I left it in an unverified state so now that I’d sorted out my domain and DNS hosting I needed to correct that.

AAD Custom Domain Unverified

Anyone who’s had to add a custom domain into O365 before will be familiar with this process but essentially it boils down to this:

  1. Before you can start using a custom domain you need to prove that you own it. Otherwise we could all add any old domain to our setup without permission (such as someone adding “bbc.co.uk”, for example).
  2. To do this, Microsoft will generate a code and ask you to add it to your DNS zone as a TXT record.
  3. This is then used to verify that you own the domain as, unless you’ve been hacked, under normal circumstances the only person with the power to add a TXT record to a domain’s DNS zone file should be the owner of that domain.

Well in my case I do own irankon.tk and I also have control of DNS via Azure DNS.

So, in the Azure portal I browsed to AAD and clicked the verify button to kick off the whole process:

AAD Add Custom Domain Verify

A screen then popped up with instructions for the TXT record I needed to add into my DNS zone in order to prove that I own it:

AAD Custom Domain Verify

At this point I left the screen open and added the record to DNS with the following PowerShell (change the TXT record value to whatever is appropriate for you):

$RGName = "hub-rg"

$Records = @()
$Records += New-AzureRmDnsRecordConfig -Value "MS=ms00000000"
$RecordSet = New-AzureRmDnsRecordSet `
 -Name "@" `
 -RecordType TXT `
 -ResourceGroupName $RGName `
 -TTL 3600 -ZoneName "irankon.tk" `
 -DnsRecords $Records

Then, once the record and had been added, I simply click the “Verify” button to complete the whole process.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: