Issues with joining pfSense's Hyper-V host machine to domain
-
[See picture for general overview]
I have pfSense running as a Hyper-V VM. I want to join the Hyper-V host machine to the domain, but it can't find the ADDC. I am also concerned that once I join the host machine to the domain, I will have issues with pfSense serving as a basic router for the wireless clients, none of which will ever be domain members (think wired office vs. wireless lobby). The layout as depicted is not how I would have designed it from scratch, as it looks very clunky. Unfortunately, it's the only way I could get things to work.
The usual suspect–DNS issues--should be ruled out. All wired clients have assigned IP addresses (DHCP is not enabled because it caused major problems that I could never resolve), and their IPV4 settings all point to the ADDC as the DNS server with no alternate DNS.
When I try to join the Hyper-V host machine to the domain, I get the classic "Network path was not found" pop-up error message. I had that problem with another machine and I tried replicating all the steps I took to fix it, but to no avail on the Hyper-V machine.
Methinks the issue lies in the pfSense settings, but the documentation is really weak.
Or is the problem related to sharing a physical NIC between the pfSense virtual switch and the host machine's connection to the LAN? Should I just buy an extra NIC so that pfSense and the host machine have separate ports in the LAN switch?
-
You MUST have 2 NICs in the host. 3 is better.
Don't use Broadcom NICs (if you can help it)- https://support.microsoft.com/en-us/kb/2986895
- https://support.microsoft.com/en-us/kb/2902166
In the host you need 2 virtual network switches.
One virtual switch is called "PFSense WAN".
This virtual switch only ever gets ONE virtual network adapter (WAN in PFSense).
It's also connected to just one physical NIC
You must untick "Allow management operating system to share this network adapter".The other virtual switch is called "Internal network". If you have 3 NICs, you can also untick "Allow management operating system to share this network adapter".
One of the NICs connects direct from the SB6190 to the host.
This NIC is the only one in PFSense WAN virtual switch.The 2nd NIC connects off to the virtual switch "Internal network" and the procurve 4000m
The PFSense LAN port connects to this virtual switch.If you have a 3rd NIC then it isn't linked to a virtual network and this is the NIC you would use to connect to for RDP, or network share traffic.
Check the virtual MAC addresses in PFSense to make sure you get them the right way around.
Visualise the path for incoming network traffic so you can tell how it should go
modem
cable
nic
PFSense Wan virtual switch
PFSense WAN NIC
PFSense firewall
PFSense LAN Switch
Internal network virtual switch
rest of network, and it doesn't matter if it's a 2nd VM on the host, or a separate host connected to your ProCurve -
Have a look at https://forum.pfsense.org/index.php?topic=104831.msg584360#msg584360 for a graphical representation of what SnowGhost is referring to.
-
You MUST have 2 NICs in the host. 3 is better.
Don't use Broadcom NICs (if you can help it)- https://support.microsoft.com/en-us/kb/2986895
- https://support.microsoft.com/en-us/kb/2902166
In the host you need 2 virtual network switches.
One virtual switch is called "PFSense WAN".
This virtual switch only ever gets ONE virtual network adapter (WAN in PFSense).
It's also connected to just one physical NIC
You must untick "Allow management operating system to share this network adapter".The other virtual switch is called "Internal network". If you have 3 NICs, you can also untick "Allow management operating system to share this network adapter".
One of the NICs connects direct from the SB6190 to the host.
This NIC is the only one in PFSense WAN virtual switch.The 2nd NIC connects off to the virtual switch "Internal network" and the procurve 4000m
The PFSense LAN port connects to this virtual switch.If you have a 3rd NIC then it isn't linked to a virtual network and this is the NIC you would use to connect to for RDP, or network share traffic.
This is how I currently have it set up. Sorry if my diagram was a little vague; I have updated it accordingly. The VM host machine has 2 NICs. Each one is linked to its own virtual switch. The host machine only participates in the LAN side (NIC 2). I guess I will get an additional NIC and isolate the host machine to that one into the HP switch for its network access. I'm highly suspicious that piggybacking on the same virtual switch/physical NIC that pfSense is using for its LAN port is too prone to issues.
Oh, and the NICs are both Intel 82574L on the server mainboard. No Broadcom anywhere.
-
As described, it should work just fine.
What were you using for DNS & DHCP, because they should both work.
(My DHCP Server is still a 2003R2 server, that until about a month ago was a physical server. When I did the P2V conversion, DHCP staid there and has been working just fine ever since).
-
As described, it should work just fine.
What were you using for DNS & DHCP, because they should both work.
(My DHCP Server is still a 2003R2 server, that until about a month ago was a physical server. When I did the P2V conversion, DHCP staid there and has been working just fine ever since).
DNS server is running on the ADDC machine. I do not use DHCP; all clients are manually configured with assigned IP addresses.
-
I would really appreciate some help here. I've already stumped the experts on TechNet to the point that they are now suggesting that I do a clean reinstall of the OS!
-
Hi.
I think you might have some non-pfsense related problems, considering you cannot get DHCP or DNS to work from the host via dedicated (non-shared) NIC.
Have you tried manually doing some address queries with nslookup from the host, supplying the server address explicitly?Have you checked if the host's NLA service "recognized" your network as being "public" maybe? Does RDP to the host work?
Also, I'd try turning off windows FW on the host, just in case.regards
-
Have you tried manually doing some address queries with nslookup from the host, supplying the server address explicitly?
Have you checked if the host's NLA service "recognized" your network as being "public" maybe? Does RDP to the host work?
Also, I'd try turning off windows FW on the host, just in case.nslookup from the Hyper-V host is unable to find the ADDC machine, although arp, ping, RDP, and network shares all connect just fine with the ADDC machine.
The network is "Private".
The Windows FW seems to have no effect, whether on or off.
-
The network is "Private".
This is your problem.
This will only allow VMs to talk to each other. The VMs can't talk to the host or other clients on other switches.Set it to external.
-
This is your problem.
This will only allow VMs to talk to each other. The VMs can't talk to the host or other clients on other switches.Set it to external.
You are not talking about the same thing. I say "private" in response to DDennisS, referring to Windows NLA, which has three options: private, public, and domain. I believe you are talking about virtual switches, which are either external, internal, or private. Obviously my virtual switch settings are external, otherwise I wouldn't have any connection to other devices like my cable modem or switch.