DNS not working for Server 2008R2 & Pfsense



  • Hello all. I have ALWAYS been able to find my answer up til now, and have been having major issues that I cannot find out the answer to, so I figured it was time to finally create an accoutn and post. Here is my setup

    PfSense:
    WAN: DHCP via Comcast
    LAN:  Set up as 192.168.101.x/24
    DHCP server handing out a range of 100 addresses starting at .100
    DNS on System –> General as:
    Hostname: pfsense
    Domain: elliott.local
    127.0.0.1
    192.168.101.20 <-- IP of W2K8R2 server, setup with AD and DNS
    4.2.2.2
    8.8.8.8

    DNS Forwarder enabled
    Register DHCP leases in DNS forwarder checked
    Register DHCP static mappings in DNS forwarder checked
    Host override entered for w2k8.elliott.local
    Domain override for elliott.local pointing to 192.168.101.20

    Clients, including the 2008 server, are all sitting on a VmWare ESXi server. I am wanting to migrate my wife and kids away from their windows XP boxes, and have them using Windows 7 on the ESXi server, with AD implemented so that I can implement login time restrictions for the kids, central printing to my laser, WSUS, etc.

    I am wanting PfSense to handle DHCP, handing out the W2K8 IP for the DNS Server to clients. Anything the AD server does not know about (outside my netowrk) should then go to pfsense. I understand that as far as the clients go, they should talk to the AD DNS ONLY, and not know about any other DNS.

    I am unable to add clients to the domain. At one point a ping -a 192.168.101.20 was returning the host name as w2k8.elliott.local. At that time, whenever I tried joining them to the domain, I was greeted with "Logon Failure: The Target Account Name is Incorrect" from the client.

    Well, I was. Now I have messed things up trying to get them right, and now when I do a ping -a 192.168.101.20 from  a client, all I get is the short name of w2k8, instead of with the doamin, which should make it w2k8.elliott.local. The same thing on the server, however, returns the hostname with the domain appended. So I am figuring tha pfSense is now handling DNS, and not adding the domain, when I do the ping.

    I am willing to start over, even getting rid of the AD server and reinstalling from scratch, which I have done once already. However, I need some advice from someone who knows what they are doing, so that I can get these machines added to the domain, and DNS working correctly.

    Thanks in advance for your time, and let me know if I have not included enough info.


  • Rebel Alliance Global Moderator

    If you want to run a domain - your dhcp server should prob be your 2k8 box as well.

    If your going to have a AD DC online - why not just use it for dhcp as well?  What does using pfsense buy you for dhcp?  In your AD dhcp just set it up to point to your pfsense as the gateway.

    You are correct all AD members need to point to your AD DNS.  You can then either forward none AD lookups to pfsense, which would then forward to your ISP, or 4.2.2.2, etc.  Or you could have your AD use roots, or you could setup forwards on your AD dns to go direct to 4.2.2.2 or your isp or googledns, etc.

    If you don't want anyone being able to do their own dns or use any other dns, then lock down the rules on pfsense to only allow your AD dns IP 192.168.101.20 to go outbound or even talk to pfsense on udp/tcp 53



  • Totally agree! Use AD server to act as a DHCP. Then in DNS on the server go to the DNS forwarder and put them to 8.8.8.8 google ETC and let it forward traffic on. Pfsense doesnt need to be involved really accept to make the inital connection.


Locked