Active Directory Integration Guide

How to use Control D in AD environments

If you are using Active Directory on your network, and install the ctrld DNS daemon on the individual endpoints, be aware of the following potential issue, and solutions.


All DNS traffic is sent to Control D

ctrld DNS daemon will take over all DNS resolution on the endpoint, and send all DNS queries to a Control D resolver, including your local domains, and hostnames of your AD servers.

This can effectively break the Active Directory connectivity, as your local domains will not be resolvable via Control D.

There are 2 ways to solve this issue.

1. Mirror Controller DNS Records

The best and simplest way to resolve this problem is to simply mirror your AD controller DNS records in Control D, using Custom Rules. For example, let's pretend your AD controller is and it points to Simply create a redirect rule that replicates this DNS record from your local DNS, in Control D interface.

Now, any Device that enforces a Profile that has this Custom Rule, will be able to resolve and reach the desired AD server. This method effectively deprecates the need for running a local DNS server on your network.


Word of Caution

This method works for most, but depending on the complexity of your AD environment, it may not be 100% effective if you have shared network drives. If you find that they are offline, or you have other types of "here be dragons" kind of issues, the 2nd method may be more applicable.

2. Split Horizon DNS

This method allows you to still use your internal DNS servers to resolve local domains, allowing your existing infrastructure to keep doing its thing. Let's create a split DNS policy that sends your local domain's DNS queries to internal DNS servers, while steering everything else to Control D.


DNS Daemon Required

This method will only work if you use the Command Line Daemon which enables split routed DNS, and will enforce the rules you create below. If you don't use the ctrld DNS daemon, you will have to split route your domains manually.

This sounds scarier than it actually is. There are just 2 steps.

  1. In a Profile that is enforced by all devices in your Active Directory domain, create a special folder with this exact name: Control D Bypass.

  2. Create a BYPASS Custom rule that matches your AD domain, wildcard rule is suggested. For example, if your AD domain is example.local you would create a rule like this:

Now, when you provision a Control D endpoint that enforces this Profile, all DNS queries for your local domain(s) would be sent to the default DNS server that was configured before Control D was installed, as pushed by your DHCP server.

You can use this folder to split route any domain, and resolve it locally.