How to join pfSense to Active Directory?



  • Hello,

    I am new to pfSense. I want to join our pfSense to Active Directory because we don't want to enter DNS server of Active Directory server every time in each computer to join Domain Controller. I have used it In Kerio Control, it was easy, but don't how to do it in pfSense. Thanks in advance.



  • Just change the DNS servers in the dhcp-server settings?



  • So in that case, squid proxy will work? And what about, DNS Forwarder to Domain Controller, then it will be the same as you have mentioned?



  • As far as I'm aware, there's no way to "join" the pfsense machine to the AD.  What it sounds like is that you want machines on the network to use your AD for DNS?  If so, the answer is in how your network is configured for assigning IP address and DNS servers.  You'd want those machines to all use your AD DNS server (instead of the pfsense machine.)

    Is DHCP handled by your pfsense box?  If so, just configure the DHCP settings on pfsense to reference the AD DNS server as the proper DNS server.

    Is DHCP handled by a Windows AD machine?  If so, there's really nothing you need to do on your pfsense box.  (If you happen to be using pfsense to route between vlan's, you might consider setting up DHCP relay on your pfsense box to forward DHCP requests.)  (This is how I have my own network configured at home.)  This configuration has the advantage of Windows DHCP automagically adding DNS records for non-domain joined machines.

    What you CAN NOT do (as far as I've been able to discover) is to have DHCP on the pfsense box add DNS records to the Windows AD DNS server.

    Take care
    Gary



  • DHCP is handled by our pfsense box. Then I have to just change the DNS servers in the dhcp server settings, right? Then client computers will get ip address automatically by pfSense like this:
    IP: 192.168.1.x
    Subnet mask: 255.255.255.0
    Gateway: 192.168.1.1
    DNS: 192.168.1.50 (DNS of ADDS)

    I have denied some websites in Squid proxy, then in this case that websites will also be blocked in client computers?



  • @emammadov:

    DHCP is handled by our pfsense box. Then I have to just change the DNS servers in the dhcp server settings, right?

    I have denied some websites in Squid proxy, then in this case that websites will also be blocked in client computers?

    I can't comment on the specific pfsense DHCP settings, as I don't have my own pfsense box set to do DHCP.  However, it should be a simple matter to set it up as you described, and then get a client machine to release and renew it's DHCP assignment to verify the expected settings are coming across.

    As for squid, I have no clue whatsoever.. but someone else should be able to help out. :)



  • Adding DNS server of Active Directory in the DHCP server settings worked well.



  • If you haven't already, you might consider the advantages (in an AD environment) of having your windows server doing DHCP as well.  For example, if Windows is doing DHCP, the DHCP server can be configured to update the DNS server.  At that point, if you have multiple vlans, you'd also want to enable the DHCP relay function on pfsense (or on a L3 switch.)