Domain logins fail with pfSense dns providing



  • Hello All,

    pfSense-1.2.3-RELEASE

    Over the last week I have been trying to migrate both dhcp, & dns from a Windows Server 2003  to the pfSense machine,to try and simplify things at our schools. Internet browsing does work fine but domain logins fails. I am using as the dns server in pfSense LAN nic the actual pfSense LAN ip address.
    I get the same results at two school locations with this configuration.
    I do still have WINS enabled on the Windows Server 2003 machine.

    After trying to do an domain login with a workstation, doing an ipconfig /all does show that pfsense is providing the correct AD domain name to the workstation.
    Do I possibly need to manually enter the ip address and FQDN of the windows server in the pfSense DNS page?

    Thank You,
    BC



  • Do the domain logins attempt to access the controller by a public IP address or private?


  • LAYER 8 Global Moderator

    AD needs more just the IP of the DC.

    http://support.microsoft.com/kb/247811
    How Domain Controllers Are Located in Windows

    A workstation that is logging on to a Windows-based domain queries DNS for SRV records in the general form:
    _service._protocol.DnsDomainName

    Active Directory servers offer the Lightweight Directory Access Protocol (LDAP) service over the TCP protocol. Therefore, clients find an LDAP server by querying DNS for a record of the form:
    _ldap._tcp.DnsDomainName

    example records that a DC would create
    dc1.ad.mydom.com. A 4.2.2.3

    _ldap._tcp.ad.mydom.com. SRV 0 0 389 dc1.ad.mydom.com.

    _kerberos._tcp.ad.mydom.com. SRV 0 0 88 dc1.ad.mydom.com.

    _ldap._tcp.dc._msdcs.ad.mydom.com. SRV 0 0 389 dc1.ad.mydom.com.

    _kerberos._tcp.dc._msdcs.ad.mydom.com. SRV 0 0 88 dc1.ad.mydom.com.

    For you GC something like
    gc._msdcs.ad.mydom.com SRV 0 0 3268 dc1.ad.mydom.com.

    If you looking to run DNS for AD – I would suggest you read the documentation on how to use BIND for AD for example.



  • Hello All,

    Thanks for the responses. I never thought in that regard if the workstation logins are in fact trying to use the public IP of the pfSense machine, instead of the lan ip address? I will check into this.

    johnpoz,
    Thanks for the detailed info. This makes perfect sense why using the pfSense machine as dns for domain logins ends up failing. It would appear the ldap transparent magic can not happen,even by assigning the pfSense NIC IP address to the PDC as the dns server. I was to the thinking as log as I left the WINS service running on the PDC the domain logins,,and name resolving would work?
    Yes you are right in regards to bind.  We have setup an linux centos server as the domains file file server about 7 years back and works great with the winbind service runnning. I am thinking at this years school end I will setup a couple of Samba servers as the PDC(s)  and doing away with Windows 200x servers,and may be able to get pfSense to intergrate with these machines. Time will tell?
    I have briefly tested this setup at home,and does work out of the box.

    Take Care,
    BC


  • LAYER 8 Global Moderator

    My suggestion of bind was just to look up how to integrate it with AD, since there is lots and lots of documentation on that.

    You most likely could do the same thing with unbound on pfsense just need to create the required records, or for that matter just run bind on pfsense.  No gui for it like you get with unbound - but you can run anything that will run on freebsd on the pfsense installs.  Just might need to add some missing stuff, etc.

    I for for one can not stand openntp – so I run full blown ntp on my pfsense.


Log in to reply