Colocate active directory
-
Hello,
Need some assistance with the best way to get what I want done. Currently my domain controller and exchange server are local. DHCP and DNS are done on the domain controller and works perfect. My pfsense is virtualized with VMware esxi 5.5 and everything is working great.
I'm looking at colocating the host, setting up openvpn between the site and the colocation. I have a netgate with pfsense ready to setup at the site.
Now, I don't want all traffic to go through the vpn tunnel, just DNS so things can resolve offsite fine. Would it be best to do dhcp relay to the domain controller over the vpn or do dhcp on the pfsense on site, have dns set to the local pfsense device and forward to the domain controller address?
Looking for best possible options with as less traffic over vpn as possible.
-
personally i'd do dhcp locally and just set the dns-field in your dhcp-configuration to the ip of your AD. i wouldn't do dns forwarding or dhcp relay because that just seems complicated for no good reason.
if it is used for a small LAN-network (<2000 clients), then dns is not really a bandwidth monster.
-
I guess the only reason I was considering dns forwarding was so there was some sort of local cache on the site side so it's not doing lookups constantly
-
I want the machines at the site to act just like they were on the domain network and such. Display domain.local as the dns name still as well. Is that possible with using the forwarder?
I also see that there is DNS resolver. Would this be better for what I'm trying to do?
Thanks
-
hi rusty,
i am doing exactly what you try to do :)
i got my Domain-Controller on a hosted Win2012R2 Server, called "adhost".
adhost has openvpnserver installed.
adhost has IP-Net 192.168.5.0/24, IP is 192.168.5.1
I set up the VPN connection as layer2 Bridge.
My Homenet pfsense is vpnclient and i set static ip for vpn interface to 192.168.5.2
on pfsense, i have enabled DHCP for my homenet with 192.168.6.0/24 and the lan interface has 192.168.6.1
on adhost i have set a route to 192.168.6.0/24 with 192.168.5.2 as the gateway.
Now, all hosts in you homenet can ping adhost
While the default GW on my pfsense is still the WAN gateway.You set the primary DNS Server in pfsense to 192.168.5.1(adhost)
From now on, you can join all your computers to your domain. Thats all. -
Hello,
Thanks for the suggestion! This is what I've done:
Colocation has a network of 172.16.0.0/24
Site has a network of 10.0.0.0/24
Domain Controller has the address of 172.16.0.4
Virtualized pfsense colocated has an address of 172.16.0.1
Pfsense onsite has an address of 10.0.0.1DHCP on site is handing out addresses 10.0.0.150 - 10.0.0.250 with the DNS of 172.16.0.4 and domain name set to domain.local
This is working fine, my only concern is every DNS lookup is being done over the VPN with no DNS cache on the site side. Although this is barely any traffic over the VPN, I would still like to find a better way to do it if possible where there's a cache on the site so not every lookup is being done. I could setup a local DC that hands out address and serves as DNS. I would prefer not to do this as I migrated everything to a colocation for this reason. I noticed new versions of pfsense have a DNS resolver instead of DNS forwarder, not sure if this would help with what I'm trying to achieve.
Any suggestions greatly appreciated!
-
Just an update, installed unbound on the pfsense onsite. Put the address of the DC in general setup page, in dhcp changed DNS to address of pfsense and all is works well. Still pushing domain name to clients and still able to see the domain. Plus got some sort of a DNS cache onsite instead of doing constant lookups offsite.
Unbound was the solution all along 8)