AWS Certified Solutions Architect – Professional — Question 291

A company has a VPC with two domain controllers running Active Directory in the default configuration. The VPC DHCP options set is configured to use the IP addresses of the two domain controllers. There is a VPC interface endpoint defined; but instances within the VPC are not able to resolve the private endpoint addresses.
Which strategies would resolve this issue? (Choose two.)

Answer options

• A. Define an outbound Amazon Route 53 Resolver. Set a conditional forward rule for the Active Directory domain to the Active Directory servers. Update the VPC DHCP options set to AmazonProvidedDNS.
• B. Update the DNS service on the Active Directory servers to forward all non-authoritative queries to the VPC Resolver.
• C. Define an inbound Amazon Route 53 Resolver. Set a conditional forward rule for the Active Directory domain to the Active Directory servers. Update the VPC DHCP options set to AmazonProvidedDNS.
• D. Update the DNS service on the client instances to split DNS queries between the Active Directory servers and the VPC Resolver.
• E. Update the DNS service on the Active Directory servers to forward all queries to the VPC Resolver.

Correct answer: A, B

Explanation

To resolve private VPC endpoint DNS names, queries must ultimately reach the AmazonProvidedDNS (VPC Resolver). Option B achieves this by keeping the AD servers as the primary DNS but forwarding non-authoritative queries to the VPC Resolver. Option A reverses this strategy by pointing clients directly to AmazonProvidedDNS via DHCP, and using an outbound Route 53 Resolver to conditionally forward AD-specific queries back to the AD servers. Inbound resolvers (Option C) are for resolving VPC names from on-premises, and forwarding all queries (Option E) would break local Active Directory resolution.