Share via

AADDS DNS Failing: Non-existent domain for its own SRV records

Steve Roberts 0 Reputation points
2025-10-24T18:28:16.7833333+00:00

Good afternoon all,

Domain name changed to protect the innocent, but I am sure this has to be something simple.

I am trying to domain-join an on-premises server to a Microsoft Entra Domain Services (AADDS) managed domain. All network connectivity and firewall rules appear to be correct, but the AADDS DNS servers are failing to resolve their own SRV records.

My Environment:

  • AADDS Domain: mydomain.bm
  • AADDS IPs (DNS): 10.0.0.4 and 10.0.0.5
  • AADDS VNet: Myvnet/default
  • On-Prem Server Subnet: 192.168.2.0/24
  • Connectivity: Site-to-Site VPN (confirmed up and routing)

 Troubleshooting Steps Performed

I have already completed the following steps:

1. Verified TCP Port Connectivity I ran Test-NetConnection from my on-prem server (192.168.2.x) to both AADDS IPs. All critical TCP ports are OPEN and succeeded:

  • Port 53 (DNS)
  • Port 88 (Kerberos)
  • Port 135 (RPC)
  • Port 389 (LDAP)
  • Port 445 (SMB)
  • Port 636 (LDAP SSL)
  • Port 3268 (Global Catalog)

2. Verified NSG Firewall Rules My AADDS-bmg.bm-NSG has the following inbound "Allow" rules, which cover all required protocols from my on-prem subnet:

  • Rule mydomaintoADDS (Priority 342): Allows TCP on ports 389,53,88,445 from 192.168.2.0/24.
  • Rule mydomaintoADDS_UDP (Priority 352): Allows UDP on ports 389,53,88,445 from 192.168.2.0/24.

3. Verified AADDS Configuration I ran Get-AzADDomainService -Name "mydomain.bm" in Cloud Shell, and it confirms my configuration is correct:

  • DomainName: mydomain.bm
  • domainControllerIpAddress: [ "10.0.0.4", "10.0.0.5" ]
  • The "Health" blade in the Azure portal for bmg.bm shows no alerts and a "Running" status.

 The Current Problem

My on-prem server is configured to use 10.0.0.4 for DNS. When I run nslookup to find the critical SRV record, the AADDS DNS server itself responds that the domain does not exist.

Failing Command: (domain name removed)

PS C:> nslookup -type=SRV _ldap._tcp.dc._msdcs.mydomain.bm 10.0.0.4

Exact Error Message:

Server:  UnKnown Address:  10.0.0.4  mydomain UnKnown can't find _ldap._tcp.dc._msdcs.mydomain.bm: Non-existent domain

My Question: Why is my AADDS instance (at 10.0.0.4) returning Non-existent domain for its own essential SRV records, even though all connectivity is verified and the service reports as "Healthy"? This seems to be an internal service failure.

Any help would be appreciated.

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SUNOJ KUMAR YELURU 16,686 Reputation points MVP Volunteer Moderator
    2025-10-25T04:10:47.5533333+00:00

    Hello @Steve Roberts

    The "Non-existent domain" error when querying SRV records on a healthy AADDS instance is likely due to an incorrect SRV record query structure. The provided query includes an unnecessary wildcard and ldap segment, which doesn't match the standard SRV record format used by Active Directory.

    1. The original query *ldap.*tcp.dc._msdcs.mydomain.bm uses a wildcard and an extra ldap segment, deviating from the standard SRV record format.
    2. The correct format for querying LDAP SRV records is _ldap._tcp.dc._msdcs.mydomain.bm and for Kerberos SRV records is _kerberos._tcp.dc._msdcs.mydomain.bm.
    3. The AADDS instance reports as healthy, indicating the service itself is running correctly, but the DNS query is misconfigured.

    If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.