Cómo resolver consultas de objetos de Microsoft AD no administrados
Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
En este tema, se muestra cómo configurar el reenvío de DNS para que las consultas de una red autorizada deGoogle Cloud para recursos de Active Directory ubicados en otro dominio se realicen de forma correcta.
Contexto
Cuando se usa una Google Cloud VM unida a un dominio de Microsoft AD administrado, si intentas buscar usuarios u objetos que no se encuentran en la misma red de VPC, la búsqueda falla. Falla porque la configuración predeterminada de Windows no reenvía la consulta al dominio de Microsoft AD administrado. En su lugar, usa el servidor DNS para la VPC en la que se encuentra la VM. Este servidor DNS no tiene información sobre los usuarios y objetos de Microsoft AD administrado fuera de la red de VPC, por lo que la búsqueda falla.
El reenvío de DNS es útil en cualquier caso en el que necesites resolver recursos ubicados fuera de la red de VPC de Google Cloud. Por ejemplo, si el dominio de Microsoft AD administrado tiene una relación de confianza con el dominio de destino, esta configuración es obligatoria.
Antes de comenzar
Antes de comenzar, verifica lo siguiente:
La VM de Google Cloud debe estar unida al dominio de Microsoft AD administrado.
Puedes acceder al servidor de nombres de destino de reenvío desde tu red de VPC.
Puedes probar que sean accesibles con los siguientes pasos:
Si usas el reenvío de DNS privado, hay algunos requisitos adicionales.
Tu firewall local debe pasar consultas de Cloud DNS. Para permitir esto, configura el firewall para permitir consultas de Cloud DNS desde el rango de direcciones IP 35.199.192.0/19 en el puerto UDP 53 o TCP 53. Si usas varias conexiones de Cloud Interconnect o túneles VPN, asegúrate de que el firewall permita el tráfico para todas ellas.
Tu red local debe tener una ruta que dirija el tráfico destinado a 35.199.192.0/19 de regreso a tu red de VPC.
El dominio de destino no está en una red de VPC
Para configurar el reenvío de DNS de Google Cloud a un dominio local que no está en una red de VPC, debes usar una zona de reenvío. Obtén más información sobre las zonas de reenvío de DNS.
Para crear una zona de reenvío que resuelva el nombre de DNS local en las direcciones IP de los servidores DNS locales, completa los pasos siguientes.
Para configurar el reenvío de DNS desde Google Cloud a un dominio autoadministrado que se encuentre en una red de VPC,
sigue los pasos para Cloud DNS
que sean pertinentes a tu configuración.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-04 (UTC)"],[],[],null,["# Resolve queries for non-Managed Microsoft AD objects\n\nThis topic shows you how to configure DNS forwarding so that queries from a\nGoogle Cloud authorized network for Active Directory resources located\nin another domain succeed.\n\nContext\n-------\n\nWhen using a Google Cloud VM domain-joined to Managed Microsoft AD,\nif you try to look up users or objects that are not located on the same VPC\nnetwork, the search fails. It fails because the default Windows configuration\ndoes not forward the query to the Managed Microsoft AD domain. Instead, it\nuses the DNS server for the VPC where the VM is located. This DNS server does\nnot have information about Managed Microsoft AD users and objects outside the\nVPC network, so the lookup fails.\n\nDNS forwarding is useful in any case where you need to resolve\nresources located outside the VPC network from Google Cloud. For\nexample, if the Managed Microsoft AD domain has a trust relationship with the\ntarget domain, this configuration is required.\n\nBefore you begin\n----------------\n\nBefore you begin, verify the following configurations.\n\n- The Google Cloud VM must be domain-joined to the\n Managed Microsoft AD domain.\n\n- The forwarding target name server is reachable from within your VPC network.\n You can test that it is reachable with the following steps:\n\n ### Console\n\n Before you begin, verify that the\n [Network Management API](https://console.cloud.google.com/marketplace/product/google/networkmanagement.googleapis.com)\n is enabled.\n 1. Go to the\n [**Connectivity Tests**](https://console.cloud.google.com/net-intelligence/connectivity/tests)\n page in the Google Cloud console.\n\n\n [Go to the Connectivity Tests page](https://console.cloud.google.com/net-intelligence/connectivity/tests)\n\n 2. Create and run a Connectivity Test with the following values:\n\n - **Protocol**: TCP\n - **Source**: IP address from your Google Cloud VPC\n - **Destination**: IP address of your on-premises DNS server\n - **Destination port**: 53\n\n Learn more about creating and running\n [Network Connectivity Tests](/network-intelligence-center/docs/connectivity-tests/how-to/running-connectivity-tests).\n\n ### PowerShell\n\n In Windows PowerShell, run the following command: \n\n ```\n nslookup domain-name dns-server-ip\n ```\n\n Learn more about\n [`nslookup`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup).\n\nIf your target is an on-premises domain, verify the following firewall\nconfiguration.\n\n- The firewall must be configured to allow users from the Managed Microsoft AD domain to access on-premises resources. Learn about [firewall configurations for accessing on-premises resources](/managed-microsoft-ad/docs/firewalls#accessing_on-premises_active_directory_resources_from).\n\nIf you are using private DNS forwarding, there are a few additional\nprerequisites.\n\n- Your on-premises firewall must pass queries from Cloud DNS. To allow\n this, configure the firewall to allow Cloud DNS queries from the\n 35.199.192.0/19 IP address range on UDP port 53 or TCP port 53. If you are\n using multiple Cloud Interconnect connections or VPN tunnels, be sure\n that the firewall allows traffic for all of them.\n\n- Your on-premises network must have a route that directs traffic destined to\n 35.199.192.0/19 back to your VPC network.\n\nTarget domain is not on a VPC network\n-------------------------------------\n\nTo configure DNS forwarding from Google Cloud to an on-premises domain\nthat is not on a VPC network, you should use a forwarding zone. Learn about\n[DNS forwarding zones](/dns/docs/zones/zones-overview#forwarding_zones).\n\nTo create a forwarding zone that resolves the on-premises DNS name to the IP\naddresses of on-premises DNS servers, complete the following steps. \n\n### Console\n\n1. Go to the\n [**Cloud DNS**](https://console.cloud.google.com/networking/dns/zones/) page in the\n Google Cloud console.\n\n\n [Go to the Cloud DNS page](https://console.cloud.google.com/networking/dns/zones/)\n\n2. Create a DNS zone with the following values:\n\n - **Zone type** : **Private**\n - **DNS name**: Target DNS name\n - **Options** : **Forward queries to another server**\n - **Destination DNS servers**: IP addresses of target DNS servers\n\nLearn more about\n[creating DNS forwarding zones](/dns/zones#creating-forwarding-zones).\n\n### gcloud\n\nTo create a new managed private forwarding zone, you should use the\n[dns managed-zones create](/sdk/gcloud/reference/dns/managed-zones/create)\ncommand: \n\n```\ngcloud dns managed-zones create name \\\n --description=description \\\n --dns-name=on-premises-dns-name \\\n --forwarding-targets=on-premises-dns-ip-addresses \\\n --visibility=private\n```\n\nLearn more about\n[creating DNS forwarding zones](/dns/zones#creating-forwarding-zones).\n\nTarget domain is on a VPC network\n---------------------------------\n\nTo configure DNS forwarding from Google Cloud to a self-managed domain\nthat is on a VPC network,\n[follow the steps for Cloud DNS](/dns/docs/zones/zones-overview#forwarding_zones)\nthat are relevant for your configuration."]]