Active Directory with Twingate

If you are deploying Twingate onto a network using Active Directory, a few configuration steps in Twingate will help your users continue to use their AD services without issue.

Domain Joins

If a computer is not yet joined to your domain and your domain controller is not on the computer's local network, at this time it is not possible to join an AD domain over Twingate for the first time. This functionality will be provided in an upcoming release. For now, we recommend configuring AD devices on a LAN before delivering them to the user. Do not attempt to join the domain over Twingate, as it could put the device into a bad state and will have to be reversed.

If properly configured, all other AD actions will work as expected, as long as the client is already part of the domain.

Setting up the Domain Controller

In order to use any services that require Active Directory authentication, you must enable clients using Twingate to discover and communicate with the domain controller. Any clients that need to use the domain in any way must have access to these Resources.

  1. Add a Resource with the DNS name of *_tcp.*, replacing with the name of your AD domain, and make sure it appears in your client Resource list
  2. Run nslookup -type=any (Linux/Mac) or nslookup -type=all (Windows), replacing with your AD domain, this should return the domains and/or IPs for your domain controller(s)
  3. Add the domain controller IPs and domain names to Twingate as Resources, make sure they appear in the clients' Resource lists

This will enable AD authentication for any service that requires it.

Below is a notional example using as the AD domain

nslookup -type=any
Address:    service = 0 100 389    service = 0 100 389

In this situation, you want to add and and assign it to the Everyone Group.

Verifying the final configuration

For the example above, the final configuration in Twingate will look something like this:

Resource Label

Resource Address


AD Domain

Your company's AD domain.

Domain Controller 1

This resource and the next one are returned in the DNS SRV request in the instructions above. These addresses point to your domain controllers.

(Depending on your domain configuration, the number of domain controllers you have may vary.)

Domain Controller 2

See the note, above.

Domain Service Discovery


This allows service discovery on your AD domain.

Typically these resources should be assigned to the automatic "Everyone" group (or a group of all Windows users) to simulate your users being joined to a physical Windows domain network while connected to Twingate.

Port restrictions

Once connectivity has been verified using the above steps, you may wish to restrict access to only required ports. For more information please refer to the Microsoft support document How to configure a firewall for Active Directory domains and trusts.

Other Troubleshooting Tips

  • NetBIOS name resolution will not work over Twingate without a domain controller acting as a directory service, as this requires broadcast communication over a LAN. Windows file sharing will still work through using the machine's IP or DNS name, as long as the user in question has access to the Resource.
  • If your domain controller is in Azure and your Connector is deployed as an Azure Container, you must check the Custom DNS Server option when deploying and use one of the DC IPs. Make sure the subnet the Container is deployed is in the same VNet as the DC or can otherwise communicate with it. Azure Containers do not automatically inherit the right DNS settings otherwise. Alternatively, if deploying the Connector on a Linux VM instead, DNS will be configured correctly at start and should not need any special configuration.

What’s Next
Did this page help you?