DHCP from pfSense, DNS domain override to Windows Server 2008 R2 ADDS

  • @cmb:


    If he is running AD, then no he would not want pfsense to be a secondary dns on the clients!  In AD, all members of the AD should ONLY Point to the AD dns for dns - no other dns should be configured on the client.

    Generally yes but SBS networks or any AD networks with a single DNS server are a big exception to that since you likely only have one Windows server and the loss of that server doesn't need to mean the loss of Internet connectivity. Having the DNS forwarder, configured with a domain forward for the AD domain to point to the AD DNS, is a good idea where you can't have multiple AD DNS servers for some reason.

    Above quote copied from another thread. I have this sort of issue and would like some feedback from anyone else who is running a similar configuration.
    Our small-office networks have the following typical equipment:
    a) pfSense on Alix, DHCP, OpenVPN between offices… - powered by 12V DC direct from solar/battery
    b) TP-Link 4-port switch+WiFi on pfSense LAN - powered by 12V DC direct from solar/battery
    c) ADSL or WiMax or whatever front-end device for internet on pfSense WAN - powered however we can from solar/battery with small inverter (hard to find 12V DC ADSL modem).
    d) Windows Server 2008 R2 with Active Directory+DNS, in a domain across VPN links with other offices - sucks real power, has to be turned off after business hours. (We are planning to install Fit-PC3 (12V) in many places, so we can leave these on soon)

    (a,b,c) are on 24/7. (d) is off after hours.

    Requirement: clients can still use the internet after the Windows Server shuts down.

    pfSense DHCP gives its LAN IP as default gateway and DNS.
    pfSense DNS forwarder domain override is defined to send DNS requests for names in the AD domain to the Windows Server.
    This allows DNS resolution of internet names at all times, even when the Windows Server is down.

    With this scheme, clients that are in the domain do not point directly at the AD domain DNS - they get there indirectly via the pfSense DNS forwarder domain override.

    Do others have experience with similar configurations?
    Are there latent issues that I will experience one day?

  • LAYER 8 Global Moderator

    "This allows DNS resolution of internet names at all times, even when the Windows Server is down."

    If your AD server running DNS is down, you have way more issues then resolving www.google.com and should be working on that!

    I do not agree with pointing clients to anything other than AD dns.. I you need more than 1 dns in say a SBS setup, then you should redesign your network to allow for multiple DCs and or multiple DNS that can resolve AD dns.

    Creating an over ride in pfsense to point to your AD dns, does not solve the issue of having only 1 dns.  Sure you might still be able to resolve www.google.com – but who gives a shit if your AD is down??

    "Requirement: clients can still use the internet after the Windows Server shuts down."

    WTF??  Leave your AD on if there are users there..  Why would they be at the location using internet, if the AD is offline - how are they going to access work resources..  They just there browsing porn after hours or what?

  • We have remote places in Nepal. We have up to 18 hours a day load-shedding (i.e. mains power on for 2 blocks of 3 hours in 24 in the really dry season). So the office domain controller shuts down after office hours are over and backup has run - if we could sweep up a few more spare electrons lying on the floor, then the server would stay on:)
    People can stay back and Skype their mum back in the city, use the www, whatever, they just don't have network file shares available. They can still login to client systems because the Windows domain clients have cached passwords, so can authenticate regular users when the DC is offline. So I also need DNS for external www names to work for them.
    I'll do some proper testing later this week, but I thought I would post this query in case someone else has a similar setup and knows already if it works/does not work/needs to be tweaked to make it work.

  • For a long time I use pfSense DNS & DHCP and delegate the DNS to Windows 2008 R2.

    Under Services > DNS forwarder just input domain and IP of Windows DNS server under the Domain Overrides section.

  • LAYER 8 Global Moderator

    Ok then setup some very low power box, say a raspberry pi ;) to run your dns - bind comes to mind and have it work with your windows dns.  Now you have dns that is your AD without your AD being on.  Problem with pfsense is it only does dnsmasq which is very limited, etc.

    Really curious what sort of power your windows box draws, you could have a DC in a VM.. My whole vm setup draws like 55 watts.. That less than having a light on..  Have more than 1 dc, one the lower power box - the other your file server I am taking it that you need to shut down that sucks up all the power?

  • We have some sites that have a "real" server (Dell PowerEdge etc) with dual power supply, RAID… that were bought some years ago, and suck 100-125 watts! Plus "ordinary" desktop-size servers that draw around 55 watts. These use way too much power to leave on through 6-9 hour gaps in mains power. Yes, I will be glad to be not dependent on them ASAP.

    We are in the process of moving to the Fit-PC3, 9 or 10W. So, along with Alix board pfSense 6W, and a TP-Link (4-port Gb ethernet switch+WiFi AP) 6W, and a front-end ISP device (ADSL modem, WiMax device...) 6-8W, we will be able to keep a core network running for 30W total. With a couple of 80W solar panels and suitable battery/s it can be off the mains completely. This will allow the Windows domain controllers to stay up 24/7 and talk to each other across OpenVPN all night - finally we will be able to sync big files to/from head office at night and so on.

    Until that is installed everywhere, I will try the workaround DNS stuff - it sounds like @joako has done it with success.

Log in to reply