Active Directory DNS
-
Let AD handle DNS and DHCP.
-
I configured the dns server to the domain controller. Is there anyway that dchp will be in pfsense box?
-
I say again. Let AD handle DNS and DHCP.
-
What possible benefit could there be to have pfsense do dhcp, when you clearly have 2 DC that are more than capable of providing dhcp..
Name 1 reason not to just do it on the DC, which makes for easier name resolution of AD members, etc. etc. Since you stated you have 2, you can do dhcp failover. Do you have any other servers?
https://technet.microsoft.com/en-us/library/hh831385.aspx
Step-by-Step: Configure DHCP for Failover -
Yes we do have 2 DC running on our network, and it is configured on 2 vsphere servers (1 DC each server). Technically it is running thru vmware and there are a some servers also that is running to that server
-
So why are you looking for something else to do DHCP or DNS?
-
These servers are located on different area in the office but since the building is very old power keeps on flactuating and server goes down. The area where I will put the pfsense box is the most stable power supply however it cannot handle a lot of server. Thats why as much if it is possible that I can use the pfsense as DHCP and the DNS will be on the DC. Currently we mikrotik router but since it is old I will switch to pfsense. 10.10.0.6, 10.10.0.7 (DC) and 10.10.0.1 (router) are configured under DHCP -> DNS and it works well, however when I tried to configured it in PFsense the host are getting hard time to pick up ip address to the pfsense box.
-
Effing fix your power or move your DCs. Christ.
-
^ yeah that would be my suggestion as well.. WTF???
-
I use the same configuration because I have multiple independent domain names (forests) on my network.
You should be able to configure the DHCP to work in this way, although it's designed by default to point the WAN toward your gateway.
In your scenario, I would use the following:
DNS Entries
10.10.0.6
10.10.0.7Gateway
10.10.0.1I found I also needed to add the DNS entries to System -> General for pfSense to resolve machine names.
 -
I'll be the odd one out. This is how I've always done it and it's never been an issue. Keep in mind pfSense becomes a single point of failure.
Under Services > DNS Forwarder or Services > DNS Resolver (depending on what version of pfSense was originally installed, unless you've manually switched to DNS Resolver) create a domain override:
-
And still no actual answer to what point is using pfsense when you have AD that requires DNS and has it right there running anyway.. Why would you point member clients of AD to anything other than your AD dns and dhcp, one good reason??
Having multiple forests sure and the F is not a valid reason.. Or do you think it is? Please explain..
"Keep in mind pfSense becomes a single point of failure."
So sure you create a domain override - but for what Freaking reason? As you state you no create failure point..
-
I'm new to pfSense 2.3 and as with some others I like to setup DHCP and DNS on my routing appliances and not Windows Server. Joako is right on the money. By doing what he suggests it works great. No AD or Group Policy errors on workstations authenticating to the DC/AD Server. Works for me.
-
And still no actual answer to what point is using pfsense when you have AD that requires DNS and has it right there running anyway.. Why would you point member clients of AD to anything other than your AD dns and dhcp, one good reason??
Having multiple forests sure and the F is not a valid reason.. Or do you think it is? Please explain..
"Keep in mind pfSense becomes a single point of failure."
So sure you create a domain override - but for what Freaking reason? As you state you no create failure point..
I thought in order to use DNSBL in pfBlocker you HAD to run DNS through pfSense?
Jason
-
"I thought in order to use DNSBL in pfBlocker you HAD to run DNS through pfSense?"
What does that have to do with your AD dns??? You point your clients to your AD dns.. You then have your AD dns ask pfsense that is running unbound and using pfblocker For stuff it is not authoritative for, simple forward setup in AD dns..
-
"I thought in order to use DNSBL in pfBlocker you HAD to run DNS through pfSense?"
What does that have to do with your AD dns??? You point your clients to your AD dns.. You then have your AD dns ask pfsense that is running unbound and using pfblocker For stuff it is not authoritative for, simple forward setup in AD dns..
I see your point, and I agree your technically correct. I chose to do DHCP in pfSense instead of my DCs because I have a lot of other non-AD subnets and choose not to DHCP relay. So if I'm going to use DHCP for the non-Windows subnets in pfSense, I might as well do it all there so I don't have to manage DHCP 2 different places - even though I admit that makes the AD subnet DHCP configuration less robust/reliable.
Jason
-
"I might as well do it all there so I don't have to manage DHCP 2 different places"
Well depends on how many clients you have in AD and nonAD.. I personally would let AD clients get dhcp from AD.. This is how MS designed it ;)
But where dhcp comes from has little to do with dns.. Be it you point your nonAD to pfsense for dns would depend on if they need to resolve lots of stuff in AD dns..
Your clearly running 2 dns setups now.. Not sure what you have against dhcp relay? This would allow all dns to be in AD for all your clients, and since they would be getting dhcp from there it would be a cleaner setup.
If you want pfsense itself to resolve your AD stuff then sure it needs to know where to go ask for dns via a domain override.
-
And still no actual answer to what point is using pfsense when you have AD that requires DNS and has it right there running anyway.. Why would you point member clients of AD to anything other than your AD dns and dhcp, one good reason??
Having multiple forests sure and the F is not a valid reason.. Or do you think it is? Please explain..
"Keep in mind pfSense becomes a single point of failure."
So sure you create a domain override - but for what Freaking reason? As you state you no create failure point..
If I use Windows DHCP then I have to buy a CAL for each iPhone an employee connects to the wifi.
-
"If I use Windows DHCP then I have to buy a CAL for each iPhone an employee connects to the wifi."
Says freaking who??? You sure and the F do not need a cal to handout dhcp lease… There is nothing in MS that checks for this..
Does your user not have a cal already?? Your doing device cal licensing??
If your doing user based cals the user could have 100 devices using server resources.. If your using device licensing then sure legally this would be a requirement but who does device licensing this never makes sense..
Also I have never seen a company actually pay that close attention to MS licensing from hell.. If your going to take it to the letter of the MS requirement then pretty much every single business on the planet that has a windows machine would fail ;)
-
"If I use Windows DHCP then I have to buy a CAL for each iPhone an employee connects to the wifi."
Says freaking who??? You sure and the F do not need a cal to handout dhcp lease… There is nothing in MS that checks for this..
Does your user not have a cal already?? Your doing device cal licensing??
If your doing user based cals the user could have 100 devices using server resources.. If your using device licensing then sure legally this would be a requirement but who does device licensing this never makes sense..
Also I have never seen a company actually pay that close attention to MS licensing from hell.. If your going to take it to the letter of the MS requirement then pretty much every single business on the planet that has a windows machine would fail ;)
Johnpoz is right on the head with this one. I can cleary tell, [insert sarcasm font here] he's got just a little bit of Windows licensing/DHCP/DNS experience [end sarcasm font]. ;)
But Johnpoz, I'm a Windows guy too and a hold out for using Domain overrides in my routing devices and letting my routers handle both DHCP and DNS. I've seen quirky problems happen with Windows DHCP and some devices especially VOIP phones that won't release their DHCP lease and we get IP conflicts (particularly with LG VOIP phones). I don't see these problems with using Linux/Unix based DHCP Servers. So I've got my reasons. But some reasons I have may be unfounded. So, I'd like to display my ignorance on the matter and have you set me straight. Keep in mind, I'll probably be setting up a Hyper-V AD lab this weekend to test the things you state.
Here's one of my scenarios:
What happens when your DC handling DHCP and DNS goes down? And no, with the VMs I run I do NOT have a backup DC. I just have really good backups that I should be able to quickly mount on a Loaner Hyper-V Server if I need to. But for simplicity sake, let's just say I don't have a VM I can quickly restore. Let's just entertain me here. When devices pull DHCP leases from Windows Server and a client machine (or VOIP phone) is rebooted it won't pull a DHCP lease because obviously the Windows DCHP Service is down. So it's bad enough they can't get to any LAN resources (printers, fileservers, etc) but even worse they can't get out to the Internet in this cloud based world we now live in. I'm a consultant and have countless issues with poorly executed DC environments that I have to take over and I simply trust a Linux/Unix type device like DD-WRT or pfSense to be a better more stable DHCP/DNS device.
Johnpoz, Why is my thinking wrong here? Why is your scenario for always running DHCP/DNS on the DC better? Looking forward to your post.
