pfsense, windows server active directory, dhcp and dns
-
There are already a bunch of posts about this subject and the general recommendation is to let windows server handle dhcp and dns. This approach is fine and all but IMHO introduces a couple of inconveniences along the way. I have a couple of questions and if anyone is kind enough to answer them I would be very thankful.
DNS Setup:
DC DNS forwards the outbound requests (non-local zones) to unbound
Unbound resolver is enabled
1- If the DC handles the DHCP and DNS, I guess we have to set up dhcp relay on the firewall for other subnets. Is that the correct approach? What other configuration should be adjusted on the firewall?
2- If the DC handles the DHCP and DNS, and the firewall handles the routing, will this not introduce extra weak points on the topology? Example:Normal setup with pfsense handling DNS and DHCP:
pfsense down, everything goes downDC setup with DHCP and DNS
- pfsense down, everything goes down
- DCs down, no DNS and countdown for DHCP leases
Additionally, for ease of use, we can just go to pfsense UI and adjust the DNS and DHCP settings as everything is in one place but if the DHCP is on the DC, there is no easy way to make adjustments (RDP or physical access to DCs required).
There is also a split dns solution with domain overrides with no DC DHCP, but in this case the dns records registered through DHCP on pfsense will not be replicated to DC DNS.
-
You will have much less pain and potential heartburn if you let the DC do both DNS and DHCP for the Active Directory domain. You do not necessarily have to allow the DC to handle DHCP for other subnets IF those subnets are not part of Active Directory. It would be perfectly fine to let pfSense handle DHCP on those subnets. But this is ONLY if those other subnets do not contain Active Directory clients.
As you surmised, there are a couple of other options but none of them is really ideal. Best overall to let the domain controller handle DHCP and DNS for Active Directory. That way, all the host names get properly registered and reverse IP pointers get set correctly for hosts.
It is perfectly fine to let your domain controller's DNS service forward queries that it is not authoritative for to
unbound
in pfSense for resolution. That way, you can use tools such as pfBlockerNG and it DNSBL feature (and/or the Python mode ofunbound
). -
@bmeeks Yeah, I agree that it would be a lot easier but I am thinking of how to handle the aftermath.
DC will definitely handle DNS since it is one of the prerequisites but for DHCPhow pfsense can know the ADDS clients registered on DC DHCP? We still have to use split dns here right? I mean
pfsenes domain: mydom.org
ADDS domain: mydom.com
then domain override mydom.com to DC IP.Another question is how to easily configure the DHCP on the DC. It is a lot harder to do that with DC as DHCP server.
For the subnets, and vlans, the ADDS clients are spread out to multiple subnets and vlans so it will complicate things.
-
@Laxarus said in pfsense, windows server active directory, dhcp and dns:
@bmeeks Yeah, I agree that it would be a lot easier but I am thinking of how to handle the aftermath.
DC will definitely handle DNS since it is one of the prerequisites but for DHCPhow pfsense can know the ADDS clients registered on DC DHCP? We still have to use split dns here right? I mean
pfsenes domain: mydom.org
ADDS domain: mydom.com
then domain override mydom.com to DC IP.Another question is how to easily configure the DHCP on the DC. It is a lot harder to do that with DC as DHCP server.
For the subnets, and vlans, the ADDS clients are spread out to multiple subnets and vlans so it will complicate things.
I use the domain override setup, so anytime pfSense wants to look up a host in my Active Directory domain the domain override setting in
unbound
directs it to the IP of my DC (where DNS is running).I find the Windows DHCP server much easier to configure than pfSense. Mostly this is because of the flexibility with reservations (if you use them) and the fact the DHCP server seamlessly updates DNS. It also offers two modes of DHCP high availabilty.
To be honest, the current DHCP and DNS implementation on pfSense is much less than ideal if you want to use DNS hostnames and DHCP. The dynamic update process is really not optimal as it requires restarting the DNS server each time a host renews its lease. You can use static reservations to get around the
unbound
restart, but in my opinion that becomes problematic very quickly in large networks (especially large business networks). The new Kea changes coming in the next release of pfSense Plus will be a big step in the right direction in this area, and I'm looking forward to those.As you mentioned in your original post, you will need to configure the DHCP Relay Agent if you have AD hosts in different subnets.
In my setup, I have some IoT devices in a DMZ that is not part of AD. For that subnet, I just use the DHCP server within pfSense and do not worry about updating DNS with hostnames as the IoT devices don't support that anyway.
-
@bmeeks hmm, but how do you manage the DHCP server on DC then. I imagine it is not easy as it is like in pfsense where you just go to a web browser and navigate the pfsense UI. You need to use rdp to access the DC. Is there an easier way?
And additionally, there are more weak points since DCs are down you are basically without DHCP during that down time. -
@Laxarus said in pfsense, windows server active directory, dhcp and dns:
but how do you manage the DHCP server on DC then. I imagine it is not easy as it is like in pfsense where you just go to a web browser and navigate the pfsense UI. You need to use rdp to access the DC. Is there an easier way?
I just use RDP. But you can also use the RSAT (Remote Server Administration Tools) from Microsoft. Here are a couple of links describing how to install and use the tools:
https://activedirectorypro.com/install-rsat-remote-server-administration-tools-windows-10/
You can install the tools on a Windows 10 or 11 workstation.
-
Thanks @bmeeks . I know about RSAT but it is still not exactly as easy as a simple webui. Just curious, did you ever try windows admin center? This should be hosted on the local machine webserver so it should be accessible via browser.
See the deployment types here:
https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/plan/installation-options -
@Laxarus said in pfsense, windows server active directory, dhcp and dns:
did you ever try windows admin center?
No, I've just used the direct snapin plugin managment tool in Windows Server itself via RDP. I really don't do very much to my AD configuration these days. It just runs very well all by itself. I very rarely need to change anything, and thus it is not that big of a deal to use the MMC on the rare chance when I need to look at something or make a change.