Windows Server behind pfsense
-
Ok perhaps I can do this in parts.
Here is one of the errors I'm getting on my Domain controller.
_Title:
DNS: The DNS server 192.168.0.1 on Ethernet must resolve Global Catalog resource records for the domain controllerSeverity
ErrorDate:
2014-09-19 11:07:02 PMCategory:
ConfigurationProblem:
The DNS server 192.168.0.1 on Ethernet did not successfully resolve the name _ldap._tcp.gc._msdcs.mynet.net.Impact:
Active Directory Domain Services (AD DS) operations that depend on locating a Global Catalog will fail.Resolution
Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to configure DNS servers that can resolve the name _ldap._tcp.gc._msdcs.mynet.net.http://go.microsoft.com/fwlink/?LinkId=121970_
-
Here is the results of the ipconfig /all
_Windows IP Configuration
Host Name . . . . . . . . . . . . : Starbase
Primary Dns Suffix . . . . . . . : mynet.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mynet.netEthernet adapter vEthernet (D-Link DGE-530T Gigabit Ethernet Adapter - Virtual Switch):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
Physical Address. . . . . . . . . : B8-A3-86-7C-1E-20
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.2
192.168.0.1
192.168.0.4
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : EnabledEthernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network Connection
Physical Address. . . . . . . . . : 00-1C-C0-65-9B-0E
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
192.168.0.2
192.168.0.4
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : EnabledTunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : YesTunnel adapter isatap.{308716D4-362B-4F22-AF6F-4329875B6E05}:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.2%15(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 251658240
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-AB-AC-B3-00-1C-C0-65-9B-0E
DNS Servers . . . . . . . . . . . : 192.168.0.1
192.168.0.2
192.168.0.4
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : DisabledTunnel adapter isatap.{15E62D1F-803D-4A33-B62A-2767C7580D28}:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.4%17(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 285212672
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-AB-AC-B3-00-1C-C0-65-9B-0E
DNS Servers . . . . . . . . . . . : 192.168.0.2
192.168.0.1
192.168.0.4
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Disabled
[\i]_ -
And finally here is the results of the dcdiag /dnsall
_Directory Server Diagnosis
Performing initial setup:
Trying to find home server…
Home Server = Starbase
* Identified AD Forest.
Done gathering initial info.Doing initial required tests
Testing server: Default-First-Site-Name\STARBASE
Starting test: Connectivity
......................... STARBASE passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\STARBASE
Starting test: Advertising
......................... STARBASE passed test Advertising
Starting test: FrsEvent
......................... STARBASE passed test FrsEvent
Starting test: DFSREvent
......................... STARBASE passed test DFSREvent
Starting test: SysVolCheck
......................... STARBASE passed test SysVolCheck
Starting test: KccEvent
......................... STARBASE passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... STARBASE passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... STARBASE passed test MachineAccount
Starting test: NCSecDesc
......................... STARBASE passed test NCSecDesc
Starting test: NetLogons
[STARBASE] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
…...................... STARBASE failed test NetLogons
Starting test: ObjectsReplicated
......................... STARBASE passed test ObjectsReplicated
Starting test: Replications
[Replications Check,STARBASE] DsReplicaGetInfo(PENDING_OPS, NULL)
failed, error 0x2105 "Replication access was denied."
…...................... STARBASE failed test Replications
Starting test: RidManager
......................... STARBASE passed test RidManager
Starting test: Services
Could not open NTDS Service on STARBASE, error 0x5
"Access is denied."
......................... STARBASE failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00001796
Time Generated: 10/02/2014 07:59:08
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
An error event occurred. EventID: 0xC0001B63
Time Generated: 10/02/2014 07:59:39
Event String:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.
An error event occurred. EventID: 0xC0001B63
Time Generated: 10/02/2014 08:00:09
Event String:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ScDeviceEnum service.
An error event occurred. EventID: 0xC0001B58
Time Generated: 10/02/2014 08:00:09
Event String:
The Smart Card Device Enumeration Service service failed to start due to the following error:
An error event occurred. EventID: 0x00002720
Time Generated: 10/02/2014 08:01:02
Event String:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
......................... STARBASE failed test SystemLog
Starting test: VerifyReferences
......................... STARBASE passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : mynet
Starting test: CheckSDRefDom
......................... mynet passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... mynet passed test CrossRefValidation
Running enterprise tests on : mynet.net
Starting test: LocatorCheck
......................... mynet.net passed test LocatorCheck
Starting test: Intersite
......................... mynet.net passed test Intersite
[\i]
All and any comments or suggestions greatly appreciated
**NOTE: In this post I have substituted my registered domain name with mynet[\b]
WD**_
-
What a mess - this is your DC? Why do you have it setup multihomed with 2 interfaces in the same network?
Do you have other DCs – why are you pointing to 192.168.0.1 for DNS?
Why do you have all the teredo, 6to4 and isatap stuff turned on?
-
Thanks for your reply
What a mess - this is your DC? Why do you have it setup multihomed with 2 interfaces in the same network?
This network is for education purposes. After installing Windows 2012 R2 I was getting a message that the server should have 2 network cards. I installed a second card and the machine stopped complaining about that.
Do you have other DCs – why are you pointing to 192.168.0.1 for DNS?
I only have the one DC. 192.168.0.1 is the lan side of the pfsense box. Should I not be using the pfsense machine to do dns?Why do you have all the teredo, 6to4 and isatap stuff turned on?
This is all stuff that was installed and turned on as part of the basic install of the server. I can turn if off if it is recommended.
Again, all and any comments or suggestions are appreciated.
-
Active Directory and DNS are tightly coupled. If you're running a Windows domain, you're better off using your domain controller to handle your DNS/DHCP.
-
"I only have the one DC. 192.168.0.1 is the lan side of the pfsense box."
How does pfsense know about your AD dns stuff? In an AD setup the only thing that be pointed to for dns by any AD members is AD DNS.. Nothing else is going to have the records about your AD other than your AD dns.
What was complaining about 2 nics?? Did you setup this box as proxy or router? AD DC should not have 2 interfaces - especially in the same network!!
Unless your using ipv6 over ipv4 transition methods you have no need of those - to be honest you prob have no need for ipv6 at all, and should prob disable it completely.
-
I am running a Windows Domain. I'm starting to realize that the pfsense router is not ideal for a Windows Domain.
When I first setup the server and ran the Best Practice Analyzer it told me the machine should have 2 network adapters. After installing the 2nd adapter the BPA no longer complains about network adapters.
I've removed the pfsense from the list of dns machines and I no longer get the errors about it not being able to resolve the AD stuff. Now I'm just getting a message that the adapters should have a preferred and alternate DNS servers configured.
Thanks again to all commenters.
-
" I'm starting to realize that the pfsense router is not ideal for a Windows Domain. "
What does the router/firewall have to do with a windows domain – let me think about it for 2 seconds.. Yup that would be NOTHING!!!
Think for 2 seconds -- why would a DC need 2 nics?? Make NO sense AT all!! Never heard of such a thing.. Only if it was going to be a proxy or route would it make sense that it needs 2 nics.. Is this some small business version of windows?
You don't need two NICS!! but yes you need to have your DNS for AD correct.. And you don't need alternative dns either.. How many boxes in your AD are running DNS?? Let me take a guess 1 -- so how would you have an alternative dns server?
-
4 Years and still actual. Mr. Johnpoz (the little friendly devil). I have server essentials 2016 license. It's not meant to be used even twice in a VM of outside of one. And I', using a PFSense FW with conditional DNS forwarding capability. It also has the option to be used for 'domain overrides'. This setup is to be used in a production environment with a 4 hour SLA to reproduce the AD DC with DNS might it fail in VMWare.
Yet: I'd like to solve those best practice errors without configuring the PDC as if there will never be a SDC. Because i think there will be and at that point I'd love to just change one ip address and see everything become green.
I've been a system admin for quite a few years but networking is not my best skill (yet). So I was actually wondering about the same. Can I set any service in PFSense to 'spoof' a secondary DNS with all green servers in my solitary PDC?
I will keep you posted because it seems enough people are looking at this thread. Thanks for the response effort sofar! (I started out learning this networking stuff as a teacher too by the way :-) Let's not throw out the PFsense as 'not the best sollution' yet.)
-
Ok. So. By using my 30.10.10.in-addr.arpa and assigning my PDC's ip address (which I calles the SDC reverseLUZ Spoof), and assigning that same ip to my.domainname.tst (SDC DNS LUZ Spoof) i lost 7 of the 9 BPA flags.
The last two I will solve later but since there is a list of system DNS servers usable both on WAN and LAN interface i have to figure out which one is seen as first and which one second.
But most and for all little devil: yes! It can be done. It might not be advisable for obvious reasons, but yes, it can be done!