Remote manage DNS

We run our infrastructure on AWS and have chosen to use their Managed Active Directory (which I’m beginning to think was a bad idea). They have blocked PowerShell remote access for a start.

Inside the VPC that the AD servers run in are VPC endpoints that have local private IPs.

Once we join a server to Active Directory, which we do by changing the DNS servers of the joining server to point to the AD servers and then issue a PowerShell AddComputer command, the VPC endpoints are no longer accessible because the DNS server on the AD servers only has a DNS Forwarder to 169.254.169.253 which points at AWS’ public DNS servers.

To resolve the issue, we have to add Remote DNS management to an AD member server, connect remotely to each AD server, remove the 169 address and add the local DNS address, for example, 10.0.0.2 - which already forwards queries to the public DNS so why AWS chose to set 169 seems like a design flaw.

As we have our entire infrastructure as code (terraform), we are having to now split, or pause, some rollout so we can manually change the forwarders. Is there a way to write some code that can magically do the change, after all, remote dns admin tools can do it ?‍♂️

——— Before you say the following, I’m aware I could add a further dns entry into each joining server to point to the local network default dns endpoint, but this creates a delay on first lookup that we are trying to avoid. We have even tried to install a dns server on each joining server and have conditional forwarders but the joining server then doesn’t register its revdns with the ad servers.