pfSense DHCP with Active Directory DNS Windows Server 2016
-
have setup 2 domain controllers on our company network(10.0.2.122). Domain controllers(Active Directory) require DNS, I have installed DNS on DC01(10.0.2.122). Our DHCP is controlled by PfSense. I have added DNS server(10.0.2.122) entry into Pfsense. After that I tried connected a machine to the domain controller and it won't connect. --We have 2 old DC's each with it's own DNS servers, machine can find them easily.
-
The best way to handle this in an AD shop is to let AD do everything. That means DNS and DHCP. You can easily add DHCP as a feature on your domain controller.
Set your AD DNS servers to resolve and make sure DHCP hands out your AD servers as the DNS for your network. Over on pfSense you can either point it to your AD DNS, or you can use the default resolver setup there and create a domain override for your local domain and point
unbound
on pfSense to your AD DNS box for resolving local hosts. -
On pfsense, in DHCP server set the Other Options, Domain Name, to your AD domain... eg. mydomain.local.
In DNS Resolver, make a Domain override: mydomain.local to 10.0.2.122
I join PCs to different domains all the time over IPsec tunnels and DNS overrides.
-
One issue you will face if you use the DHCP server on pfSense is that hostnames of local clients will not be registered in DNS in AD. That may or may not be of concern for your setup.
And you don't want to turn on DHCP DNS updates within pfSense as that will cause the
unbound
daemon to be restarted each time a client renews its lease. There are many posts on the forum about that little gotcha. DNS can be dead for many seconds during that restart, and the dead time is greatly expanded when you use tools such as pfBlockerNG-devel and DNSBL.In my opinion, if you have an Active Directory shop, you really should let most of the DNS and DHCP infrastructure be hosted within AD. And in Windows 2016 and up, AD supports DHCP failover if you install the service on multiple hosts.