Windows 10 won’t connect to a windows 2012 server connected to a PfSense network. In VMware fusion

mattpdx86

I have been trying to add a windows 10 computer to a Windows 2012 domain that’s connected to a PF sense Netwerk. Every time I try to bring up Windows 10 and add it to the Windows 2012 domain and I enter the net bios name, you asked me for the username and password, but as soon as I enter it, I get a message on windows 10 stating that, the domain cannot be found it does not exist. Has anybody ever experienced this and how did you fix it?

bmeeks

Is the Windows 10 client pointing to the domain controller for its DNS server? Is the pfSense DHCP server (if used) configured to hand out the domain controller as the preferred DNS server to clients?

When using Active Directory, it is best practice to let the domain controller be the DHCP and DNS server for the AD network. Then point all clients to the AD DNS server for domain name resolution. It is okay to then configure the AD DNS server to forward looks for domains where the AD DNS is not authoritative to a forwarder, and the DNS Resolver on pfSense can be that destination forwarder.

From your description, sounds like the Window client is asking some DNS server other than the domain controller for Active Directory domain information, and that other DNS server has no clue about the AD domain.

SteveITS

@bmeeks said in Windows 10 won’t connect to a windows 2012 server connected to a PfSense network. In VMware fusion:

Then point all clients to the AD DNS server

A short addendum since it trips people up...only the AD DNS. Windows uses a "last known good" DNS server, not using an order.

Also when joining PCs, I find sometimes I have to use the NetBIOS or FQDN (dotted) name, if one fails.

mattpdx86

@bmeeks
I have PF sense configured with DNS, resolver, and DHCP is also enabled on PF sense. I did go into DNS set up on windows server 2012 and add PF sense as a DNS server. On the Windows 10 client when I go to join the computer to the domain I enter the NetBIOS name and press enter then it comes back and it asked me for a username and password I enter the admin username and password, and then it thinks for a while, and then it comes back and says that the domain does not exist, or cannot be found.

mattpdx86

@bmeeks also, I was putting the server on the land side of PF since were all the other computers were going to sit, but for some strange reason it’s not adding it to the domain

SteveITS

@mattpdx86 if you are using pfSense as the DNS server on the PC you will need to add a Domain Override to point your domain "example.lan" to the IP address(es) of your AD DNS. Otherwise the PC will never be able to contact the Windows domain.

As I noted above did you try the dotted AD domain? Even set up correctly I have seen one name work and the other not work.

Side note: 2012 reaches EOL in 7 months. (unless paying for the additional security updates)

mattpdx86

@steveits
FQDN
Server name.domain name.com i.e.
Svro1.mydomain.com correct?

SteveITS

@mattpdx86 Not sure I understand your example... Windows AD has two names, a NetBIOS name (COMPANY) and a DNS name (company.lan, company.local, etc.). I'm saying, try both. DNS will have to point or forward to the Windows DNS, for the DNS name to work.

mattpdx86

@steveits
I am new to PF sense, and I’m trying to get it set up because I want to use it for my business but I wanna try to my home environment first

Tzvia

@mattpdx86 You mentioned the server is in VMWare Fusion, is it NAT? or is it on the same network as the host (bridge mode)? Where is the Windows 10 device, is it also in VMWare? Maybe you mentioned it but I missed it if you did...
It's been a long time since I had to setup Fusion (people at work largely switched to Parallels) and I am not a MAC person... but I think the default is to NAT the VM. Bridged mode would give the VM an IP in the same network as the host is in, but NAT has a software firewall that may be an issue here if the server is natted. Same for if it's the Windows 10 machine if it is the natted one.

If they are on the same network, then PFSense has nothing to do with it at least in terms of firewall. It is best to have the Server 2012 box handle DHCP and DNS, and give out via DHCP, ONLY the IP of the 2012 box for DNS. Have the 2012 server then forward DNS to the LAN IP of PFSense, and let PFSense take it from there for any address that is NOT in your internal network. Otherwise, you need a host override for the IP of the server AND a host override for the domain name, pointing it to the server IP. If you have more than one server, point the domain override at the master roles holder (or the PDC Emulator role holder if the roles are split amongst several DCs). When joining a domain, the desktop is looking for the DOMAIN, not the server.