How to run DHCP on pfSense, but register DNS in Win2k3 server

ttblum · Nov 26, 2014, 4:11 PM

Hello,

I have a network with Windows Domain and local domain controller.

I have DHCP running on my pfSense router, handing out the primary DNS as the local domain controller, and secondary DNS as the pfSense router. The pfSense router is configured with a DNS forwarder, and a domain override to redirect any domain DNS requests to the domain controller. This works perfectly in case the domain controller goes down, there is still internet access OK.

However, the hostnames of the workstations are not getting registered into the domain controller's DNS, so the names and IP addresses of the workstations are not matching up with reality on the domain controller's DNS. This is causing issues with deployment software that expects the DNS to be correct.

Is there any way to configure pfSense to hand out DHCP and update the DNS on a Windows domain controller?

KOM · Nov 26, 2014, 4:31 PM

Everything I've read says that if you're using an AD domain, you should let Windows handle DNS/DHCP. That's also how I do things here. If your DC goes down, you've got bigger fish to fry anyway. I assume you're running a BDC as well?

johnpoz · Nov 27, 2014, 12:31 PM

^ Exactly!!! Other than the fact there are no BDCs any more, those went away after NT ;) But sure more than 1 DC should be a given.

There is really no point in running dhcp/dns on pfsense if you have Active Directory running..

muswellhillbilly · Nov 27, 2014, 12:51 PM

Assuming you have just one Windows DNS server acting as your DC, you can set your DHCP scope on the DHCP server to use the DC as the primary name server and then set the pfSense address as the secondary. This way, you keep your Windows domain happy and will still have use of a backup name server if your DC goes down. Though - as already stated - I would have thought internet access would be the least of your worries if your Windows domain controller packs up.

johnpoz · Nov 27, 2014, 1:32 PM

"use the DC as the primary name server and then set the pfSense address as the secondary"

Sorry but no this is not how it should be done.. The ONLY dns listed for member of AD should be AD dns.. You do not know when the client might use the secondary dns, if fist one times out on a query (doesn't answer fast enough). It could ask the secondary - and now that answered stick with that one, etc..

Members of AD should only point to AD dns PERIOD!!! If you want more than one, then there should be more than one AD dns..

KOM · Nov 27, 2014, 2:07 PM

Other than the fact there are no BDCs any more, those went away after NT ;)

Hush up! You're making me feel old.

johnpoz · Nov 27, 2014, 2:16 PM

hehe, yeah you can tell the old admins that still use the term bdc ;) I catch myself doing it as well - so don't feel too old. I wonder if I have a copy of NT laying around - fire up an old domain ;)

KOM · Nov 27, 2014, 2:33 PM

I have an active Windows NT 4.0 Server box sitting about 15 feet away from me. In a previous life we did optical drive & jukebox software, so I still to this day need a system that I can read & write NTFS4 for optical media data recovery purposes.

johnpoz · Nov 27, 2014, 5:12 PM

Well I just fired up a VM, stroll down memory lane on the setup process. Sure went a lot faster on a vm than I remember on real hardware ;)

Had to find sp6 to be able to install the nic drivers from vmtools - but its up and running and on the network ;) Hmm should I setup a domain is the question… hehe But it does ask you when you run through setup if you want it to be primary or BDC ;)

KOM · Nov 27, 2014, 5:30 PM

Did oyu have a product key for it or did you remember the old 111-111111111 trick?

johnpoz · Nov 27, 2014, 5:44 PM

I remember the 111 thing now that you mention it ;) But I just did a quick google, there was cdkey on archive.org for that matter. The OS is so old I think its public domain anyway.

muswellhillbilly · Nov 28, 2014, 8:47 AM

Ah, yes - slapping my forehead now. Windows DNS for AD is specific to AD, of course - with all those wonderful proprietary entries which make AD work (badly). You're right Johnpoz - I should sometimes engage my brain before typing. Ignore my previous bad advice.

kejianshi · Nov 28, 2014, 9:27 AM

Now I want to install windows 95… Where did I put that 20 pound stack of install disks....

ttblum · Dec 1, 2014, 5:53 PM

Hi,

I'm basing my setup on section 21.3.1.5 "Domain Overrides" of the first pfSense book. I need internet connectivity to stay up if there is a PDC failure because I have many mission-critical apps that are hosted over the internet.

As suggested there, my DHCP server is the pfSense router, primary DNS is the PDC, and secondary DNS is the pfSense.

Does setting it up this way usually register the correct workstation names in the PDC's DNS?

Derelict · Dec 1, 2014, 7:07 PM

Your solution is another DC, not pfSense. I would give DHCP duties to the windows server.

A BIND server with slave copies of the windows DC/DNS master zones should be good enough as a secondary in a pinch if you're looking for a free software solution - as long as AD is maintaining the contents of the zone files and you refresh early and often. Unless AD has DNS record types or something that nobody else uses - wouldn't surprise me.

As has been said, ALL of the name servers given to a client have to behave the same way and have the same content.

ETA: Hmm. Thinking about it, shouldn't it work if he domain overrides his AD DNS zone and in-addr zone(s) over to his DC? (with DHCP moved over to windows, of course)

ttblum · Dec 16, 2014, 8:32 PM

It looks like the issue was that we decommissioned workstations without removing them from Active Directory.

The DNS records of the old workstations stayed on the domain controller while the new workstations were joining, and I ended up with multiple DNS records pointing to a single IP address.

The DNS/ActiveDirectory forwarding is working fine with pfSense, I have a similar setups at other sites.