In the Administering Windows Server Hybrid Core Infrastructure guidance for extending AD DS into Azure, Microsoft states that when you place a domain controller in an Azure virtual network you must run DNS on that domain controller and point the VNet to that DNS server: “Domain controllers in Azure IaaS should host the AD-integrated DNS zone, and the virtual network’s DNS server setting must reference those DC/DNS IPs so Azure VMs use AD DNS rather than the Azure-provided resolver.” The materials also emphasize that Azure’s default DNS cannot host or manage AD DS zones, so custom DNS is required for domain-joined workloads. Therefore, to meet the requirement you (1) install the DNS Server role on DC3 so it can host the corp.fabrikam.com AD-integrated zone (F), and (2) configure the DNS Servers setting on Vnet1 to the IP of DC3 (and any additional DCs), ensuring all Azure VMs in Vnet1 resolve the domain via AD DNS (D). Creating a public Azure DNS zone or a Private DNS zone with the same AD name is not appropriate for AD-integrated name resolution. This design also supports the security requirement of preventing domain controllers from relying on Internet-facing resolvers.