Resolving queries for non-Managed AD objects in VPC networks

This topic shows you how to configure DNS forwarding so that queries from a Google Cloud authorized network for Active Directory resources located in another domain succeed.


When using a Google Cloud VM domain-joined to Managed Microsoft AD, if you try to look up users or objects that are not located on the same VPC network, the search fails. It fails because the default Windows configuration does not forward the query to the Managed Microsoft AD domain. Instead, it uses the DNS server for the VPC where the VM is located. This DNS server does not have information about Managed Microsoft AD users and objects outside the VPC network, so the lookup fails.

DNS forwarding is useful in any case where you need to resolve resources located outside the VPC network from Google Cloud. For example, if the Managed Microsoft AD domain has a trust relationship with the target domain, this configuration is required.

Before you begin

Before you begin, verify the following configurations.

  • The Google Cloud VM must be domain-joined to the Managed Microsoft AD domain.

  • The forwarding target name server is reachable from within your VPC network. You can test that it is reachable with the following steps:


    Before you begin, verify that the Network Management API is enabled.

    1. Go to the Connectivity Tests page in the console.
      Go to the Connectivity Tests page

    2. Create and run a Connectivity Test with the following values:

      • Protocol: TCP
      • Source: IP address from your Google Cloud VPC
      • Destination: IP address of your on-premises DNS server
      • Destination port: 53

    Learn more about creating and running Network Connectivity Tests.


    In Windows PowerShell, run the following command:

    nslookup domain-name dns-server-ip

    Learn more about nslookup.

If your target is an on-premises domain, verify the following firewall configuration.

If you are using private DNS forwarding, there are a few additional prerequisites.

  • Your on-premises firewall must pass queries from Cloud DNS. To allow this, configure the firewall to allow Cloud DNS queries from the IP address range on UDP port 53 or TCP port 53. If you are using multiple Cloud Interconnect connections or VPN tunnels, be sure that the firewall allows traffic for all of them.

  • Your on-premises network must have a route that directs traffic destined to back to your VPC network.

Target domain is not on a VPC network

To configure DNS forwarding from Google Cloud to an on-premises domain that is not on a VPC network, you should use a forwarding zone. Learn about DNS forwarding zones.

To create a forwarding zone that resolves the on-premises DNS name to the IP addresses of on-premises DNS servers, complete the following steps.


  1. Go to the Cloud DNS page in the console.
    Go to the Cloud DNS page

  2. Create a DNS zone with the following values:

    • Zone type: Private
    • DNS name: Target DNS name
    • Options: Forward queries to another server
    • Destination DNS servers: IP addresses of target DNS servers

Learn more about creating DNS forwarding zones.


To create a new managed private forwarding zone, you should use the dns managed-zones create command:

gcloud dns managed-zones create name \
    --description=description \
    --dns-name=on-premises-dns-name \
    --forwarding-targets=on-premises-dns-ip-addresses \

Learn more about creating DNS forwarding zones.

Target domain is on a VPC network

To configure DNS forwarding from Google Cloud to a self-managed domain that is on a VPC network, follow the steps for Cloud DNS that are relevant for your configuration.