Windows Server behind pfsense

Witchdoc59

I'm running a Windows Server 2012 R2 domain controller behind a pfsense firewall.  Everything is working well however I'm getting the following message on the DC DNS.

_Network interfaces must be configured with DNS servers that are able to resolve Global Catalog service records for the domain controller.

A DNS server configured on the network interface did not respond to a query for the _ldap._tcp.gc.msdcs. <dnsdomainname>service (SRV) record.</dnsdomainname>

Anyone have any suggestions as to how to eliminate this?
All and any comments greatly appreciated.
WD

CHfish

Use 127.0.0.1 as DNS Server on the Network Interface and setup the DC DNS Server to use pfSense or external DNS Servers as forwarders.

Witchdoc59

All of that has been done but it doesn't address the issues I'm having.

WD

johnpoz

if you not pointing your DC to pfsense  or outside dns and you get this error

"A DNS server configured on the network interface did not respond to a query for the _ldap._tcp.gc._msdcs. <dnsdomainname>service (SRV) record."

And your pointing itself then it has a problem - run diag on your windows box, use the dns test flag.  say dcdiag /dnsall

How about a simple ipconfig /all output from your DC so we can see where its point to for dns on this interface.</dnsdomainname>

Witchdoc59

I'm having issues posting a reply.

WD

Witchdoc59

Ok perhaps I can do this in parts.

Here is one of the errors I'm getting on my Domain controller.
_Title:
DNS: The DNS server 192.168.0.1 on Ethernet must resolve Global Catalog resource records for the domain controller

Severity
Error

Date:
2014-09-19 11:07:02 PM

Category:
Configuration

Problem:
The DNS server 192.168.0.1 on Ethernet did not successfully resolve the name _ldap._tcp.gc._msdcs.mynet.net.

Impact:
Active Directory Domain Services (AD DS) operations that depend on locating a Global Catalog will fail.

Resolution
Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to configure DNS servers that can resolve the name _ldap._tcp.gc._msdcs.mynet.net.

http://go.microsoft.com/fwlink/?LinkId=121970_

Witchdoc59

Here is the results of the ipconfig /all

_Windows IP Configuration

Host Name . . . . . . . . . . . . : Starbase
  Primary Dns Suffix  . . . . . . . : mynet.net
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : mynet.net

Ethernet adapter vEthernet (D-Link DGE-530T Gigabit Ethernet Adapter - Virtual Switch):

Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
  Physical Address. . . . . . . . . : B8-A3-86-7C-1E-20
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  IPv4 Address. . . . . . . . . . . : 192.168.0.4(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.0.1
  DNS Servers . . . . . . . . . . . : 192.168.0.2
                                      192.168.0.1
                                      192.168.0.4
                                      127.0.0.1
  NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network Connection
  Physical Address. . . . . . . . . : 00-1C-C0-65-9B-0E
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.0.1
  DNS Servers . . . . . . . . . . . : 192.168.0.1
                                      192.168.0.2
                                      192.168.0.4
                                      127.0.0.1
  NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{308716D4-362B-4F22-AF6F-4329875B6E05}:

Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.2%15(Preferred)
  Default Gateway . . . . . . . . . :
  DHCPv6 IAID . . . . . . . . . . . : 251658240
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-AB-AC-B3-00-1C-C0-65-9B-0E
  DNS Servers . . . . . . . . . . . : 192.168.0.1
                                      192.168.0.2
                                      192.168.0.4
                                      127.0.0.1
  NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{15E62D1F-803D-4A33-B62A-2767C7580D28}:

Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.4%17(Preferred)
  Default Gateway . . . . . . . . . :
  DHCPv6 IAID . . . . . . . . . . . : 285212672
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-AB-AC-B3-00-1C-C0-65-9B-0E
  DNS Servers . . . . . . . . . . . : 192.168.0.2
                                      192.168.0.1
                                      192.168.0.4
                                      127.0.0.1
  NetBIOS over Tcpip. . . . . . . . : Disabled
[\i]_

Witchdoc59

And finally here is the results of the dcdiag /dnsall

_Directory Server Diagnosis

Performing initial setup:

Trying to find home server…

Home Server = Starbase

* Identified AD Forest.
  Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\STARBASE

Starting test: Connectivity

......................... STARBASE passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\STARBASE

Starting test: Advertising

......................... STARBASE passed test Advertising

Starting test: FrsEvent

......................... STARBASE passed test FrsEvent

Starting test: DFSREvent

......................... STARBASE passed test DFSREvent

Starting test: SysVolCheck

......................... STARBASE passed test SysVolCheck

Starting test: KccEvent

......................... STARBASE passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... STARBASE passed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... STARBASE passed test MachineAccount

Starting test: NCSecDesc

......................... STARBASE passed test NCSecDesc

Starting test: NetLogons

[STARBASE] User credentials does not have permission to perform this

operation.

The account used for this test must have network logon privileges

for this machine's domain.

…...................... STARBASE failed test NetLogons

Starting test: ObjectsReplicated

......................... STARBASE passed test ObjectsReplicated

Starting test: Replications

[Replications Check,STARBASE] DsReplicaGetInfo(PENDING_OPS, NULL)

failed, error 0x2105 "Replication access was denied."

…...................... STARBASE failed test Replications

Starting test: RidManager

......................... STARBASE passed test RidManager

Starting test: Services

Could not open NTDS Service on STARBASE, error 0x5

"Access is denied."

......................... STARBASE failed test Services

Starting test: SystemLog

A warning event occurred.  EventID: 0x00001796

Time Generated: 10/02/2014  07:59:08

Event String:

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

An error event occurred.  EventID: 0xC0001B63

Time Generated: 10/02/2014  07:59:39

Event String:

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.

An error event occurred.  EventID: 0xC0001B63

Time Generated: 10/02/2014  08:00:09

Event String:

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ScDeviceEnum service.

An error event occurred.  EventID: 0xC0001B58

Time Generated: 10/02/2014  08:00:09

Event String:

The Smart Card Device Enumeration Service service failed to start due to the following error:

An error event occurred.  EventID: 0x00002720

Time Generated: 10/02/2014  08:01:02

Event String:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

......................... STARBASE failed test SystemLog

Starting test: VerifyReferences

......................... STARBASE passed test VerifyReferences

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation

Running partition tests on : mynet

Starting test: CheckSDRefDom

......................... mynet passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... mynet passed test CrossRefValidation

Running enterprise tests on : mynet.net

Starting test: LocatorCheck

......................... mynet.net passed test LocatorCheck

Starting test: Intersite

......................... mynet.net passed test Intersite

[\i]

All and any comments or suggestions greatly appreciated

**NOTE: In this post I have substituted my registered domain name with mynet[\b]

WD**_

johnpoz

What a mess - this is your DC?  Why do you have it setup multihomed with 2 interfaces in the same network?

Do you have other DCs – why are you pointing to 192.168.0.1 for DNS?

Why do you have all the teredo, 6to4 and isatap stuff turned on?

Witchdoc59

Thanks for your reply

What a mess - this is your DC?  Why do you have it setup multihomed with 2 interfaces in the same network?

This network is for education purposes.  After installing Windows 2012 R2 I was getting a message that the server should have 2 network cards.  I installed a second card and the machine stopped complaining about that.

Do you have other DCs – why are you pointing to 192.168.0.1 for DNS?
I only have the one DC.  192.168.0.1 is the lan side of the pfsense box.  Should I not be using the pfsense machine to do dns?

Why do you have all the teredo, 6to4 and isatap stuff turned on?

This is all stuff that was installed and turned on as part of the basic install of the server.  I can turn if off if it is recommended.

Again, all and any comments or suggestions are appreciated.

KOM

Active Directory and DNS are tightly coupled.  If you're running a Windows domain, you're better off using your domain controller to handle your DNS/DHCP.

johnpoz

"I only have the one DC.  192.168.0.1 is the lan side of the pfsense box."

How does pfsense know about your AD dns stuff?  In an AD setup the only thing that be pointed to for dns by any AD members is AD DNS.. Nothing else is going to have the records about your AD other than your AD dns.

What was complaining about 2 nics??  Did you setup this box as proxy or router?  AD DC should not have 2 interfaces - especially in the same network!!

Unless your using ipv6 over ipv4 transition methods you have no need of those - to be honest you prob have no need for ipv6 at all, and should prob disable it completely.

Witchdoc59

I am running a Windows Domain.  I'm starting to realize that the pfsense router is not ideal for a Windows Domain.

When I first setup the server and ran the Best Practice Analyzer it told me the machine should have 2 network adapters.  After installing the 2nd adapter the BPA no longer complains about network adapters.

I've removed the pfsense from the list of dns machines and I no longer get the errors about it not being able to resolve the AD stuff.  Now I'm just getting a message that the adapters should have a preferred and alternate DNS servers configured.

Thanks again to all commenters.

johnpoz

" I'm starting to realize that the pfsense router is not ideal for a Windows Domain. "

What does the router/firewall have to do with a windows domain – let me think about it for 2 seconds..  Yup that would be NOTHING!!!

Think for 2 seconds -- why would a DC need 2 nics??  Make NO sense AT all!!  Never heard of such a thing.. Only if it was going to be a proxy or route would it make sense that it needs 2 nics..  Is this some small business version of windows?

You don't need two NICS!!  but yes you need to have your DNS for AD correct..  And you don't need alternative dns either..  How many boxes in your AD are running DNS??  Let me take a guess 1 -- so how would you have an alternative dns server?

SKDJ

4 Years and still actual. Mr. Johnpoz (the little friendly devil). I have server essentials 2016 license. It's not meant to be used even twice in a VM of outside of one. And I', using a PFSense FW with conditional DNS forwarding capability. It also has the option to be used for 'domain overrides'. This setup is to be used in a production environment with a 4 hour SLA to reproduce the AD DC with DNS might it fail in VMWare.

Yet: I'd like to solve those best practice errors without configuring the PDC as if there will never be a SDC. Because i think there will be and at that point I'd love to just change one ip address and see everything become green.

I've been a system admin for quite a few years but networking is not my best skill (yet). So I was actually wondering about the same. Can I set any service in PFSense to 'spoof' a secondary DNS with all green servers in my solitary PDC?

I will keep you posted because it seems enough people are looking at this thread. Thanks for the response effort sofar! (I started out learning this networking stuff as a teacher too by the way :-) Let's not throw out the PFsense as 'not the best sollution' yet.)

SKDJ

Ok. So. By using my 30.10.10.in-addr.arpa and assigning my PDC's ip address (which I calles the SDC reverseLUZ Spoof), and assigning that same ip to my.domainname.tst (SDC DNS LUZ Spoof) i lost 7 of the 9 BPA flags.

The last two I will solve later but since there is a list of system DNS servers usable both on WAN and LAN interface i have to figure out which one is seen as first and which one second.

But most and for all little devil: yes! It can be done. It might not be advisable for obvious reasons, but yes, it can be done!