DNS and Domain Controllers
-
I'm assuming you are talking about Windows 2k/2003/whatever.
Active Directory is hard-wired into LDAP and DNS. The DNS zone on an AD controller contains a bunch of records that are needed for your network to function correctly. These records are not easily created on non-windows DNS servers. Setup AD on some bogus zone, like company.local, and point the Windows clients to the DC. The DC will resolve non-local queries externally, or you could use the cache on your pfSense as forwarder. But it will cache itself. I'm talking your internal network here- you could run a public zone on pfSense with the new DNS server package. IMO, only crazy people run public zones off a Windows box. -
Yes i am talking about 2003. So easiest it sounds like would be using the server as the dns. I'm not sure pfsense how to tell it to use the 2k3 server as the dns while still being able to forward to outside dns (with how the pfsense box forwards).
So if I just make up a different name and don't use the same as what I have registered that would work also? What about when I get the web server setup for a website for the domain I have registered. Will it still work then? A.D. being different than the actual domain?
Where can I find out about the dns server package? I don't remember seeing it and that might not be a bad option.
-
You could use the providers DNS servers on pfSense (system, general), or point the DNS to your DC, shouldn't make a big difference. There's no problem having AD on a private DNS zone (it should be), it will just lookup the public zone like everybody else. The only problem I see is that if you went to www.company.com you would get the public ip for the server that is on your LAN, but enabling NAT reflection on the advanced tab should take care of that.
The DNS server package is still under development, but I think you can add it via package on a 1.2 beta. -
I'll have to look at the NAT reflection. That should take care of the problem for the webserver. No sense in it going outside the network only to come back lol.
thank you for the information. When I get home after work I have a couple of things to try.
Version 1.2 is sounding better and better everytime I hear something about it. Not sure if I really want to install a beta on my main connection though, only reason why I haven't.
-
Neither the DNS forwarder nor the DNS server package support the record types required for proper functioning of Active Directory.
What you should do is leave your ISP DNS servers on pfsense, and configure the DNS forwarder with a domain override for your AD domain. i.e. if your AD is mycompany.com, configure the DNS forwarder to forward all requests for mycompany.com to your internal DNS server on the Windows DC. All other DNS queries would be forwarded to your ISP's DNS servers.
You can setup your Windows DNS server to use your pfsense DNS forwarder as its DNS forwarder if you want. So your DNS resolution internally would be:
Windows server –> pfsense --> ISP's DNS --> root servers
Alternatively, you can setup your Windows DNS to go directly to the root servers and not do any DNS forwarding, which is what I typically prefer to do (better security-wise, and reliability-wise as well in my experience).
-
Ok, i have a question.
I haven't found any option with in pfsense to do the NAT reflection so it doesn't have to look at the outside world for the website which is internal to start with (no sense in having it go out only to come back in. I'm still learning pfsense so I may have msised it but any help woudl be greatly appreciated.
Thanks!
-
System -> Advanced
-
-
Ah ha. thank you very much. Works much better now :)
-
I'd suggest using the DC to provide DHCP and DNS to your clients. That way your DC always has current listings of your internal clients IPs. It will make your life easier and more secure.
I'd setup the internal network on a different domain then your public one. However if you've already setup the windows domain that is much easier said then done. At any rate, I'd register the domain you use internally just so no one else does, it could bite you in the butt in the future if you have road warriors, well worth $10/year
I'd setup the public DNS on a *nic system, either pfsense or other in a DMZ preferably.
You do NOT want your windows domain dns to be accessible from the outside world. But if they are the same domain name then just setup the *nix box and the Windows box both with the SOA. Your public one will be the one with real authority, but you DC must believe that it does as well. Your clients will believe your DC's DNS no matter what.
You can use DNS tricks on your DC to point to the internal IP of the webserver too, this will take the traffic off your internet connection, otherwise it may route out to the internet and then back to you.
Hope this helps.
