Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Active Directory DNS

    Scheduled Pinned Locked Moved DHCP and DNS
    31 Posts 9 Posters 10.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Hi, I am new in the community and this is the first time that I will use pfsense in our office I would like to ask what configuration that I needed to resolve our Domain Controller DNS to pfsense box. This is my setup

      • Pfsense will handle DHCP
      • We have 2 domain controller 10.10.0.6 and 10.10.0.7

      Thank you for your help.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Let AD handle DNS and DHCP.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          I configured the dns server to the domain controller. Is there anyway that dchp will be in pfsense box?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I say again. Let AD handle DNS and DHCP.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              What possible benefit could there be to have pfsense do dhcp, when you clearly have 2 DC that are more than capable of providing dhcp..

              Name 1 reason not to just do it on the DC, which makes for easier name resolution of AD members, etc. etc.  Since you stated you have 2, you can do dhcp failover.  Do you have any other servers?

              https://technet.microsoft.com/en-us/library/hh831385.aspx
              Step-by-Step: Configure DHCP for Failover

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                Yes we do have 2 DC running on our network, and it is configured on 2 vsphere servers  (1 DC each server). Technically it is running thru vmware and there are a some servers also that is running to that server

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  So why are you looking for something else to do DHCP or DNS?

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    These servers are located on different area in the office but since the building is very old power keeps on flactuating and server goes down. The area where I will put the pfsense box is the most stable power supply however it cannot handle a lot of server. Thats why as much if it is possible that I can use the pfsense as DHCP and the DNS will be on the DC. Currently we mikrotik router but since it is old I will switch to pfsense. 10.10.0.6, 10.10.0.7 (DC) and 10.10.0.1 (router)  are configured under DHCP -> DNS and it works well, however when I tried to configured it in PFsense the host are getting hard time to pick up ip address to the pfsense box.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Effing fix your power or move your DCs. Christ.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        ^ yeah that would be my suggestion as well.. WTF???

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • S
                          SobyOne
                          last edited by

                          I use the same configuration because I have multiple independent domain names (forests) on my network.

                          You should be able to configure the DHCP to work in this way, although it's designed by default to point the WAN toward your gateway.

                          In your scenario, I would use the following:

                          DNS Entries
                            10.10.0.6
                            10.10.0.7

                          Gateway
                            10.10.0.1

                          I found I also needed to add the DNS entries to System -> General for pfSense to resolve machine names.

                          ![DNS Servers on DHCP.png](/public/imported_attachments/1/DNS Servers on DHCP.png)
                          ![DNS Servers on DHCP.png_thumb](/public/imported_attachments/1/DNS Servers on DHCP.png_thumb)

                          1 Reply Last reply Reply Quote 0
                          • J
                            joako
                            last edited by

                            I'll be the odd one out. This is how I've always done it and it's never been an issue. Keep in mind pfSense becomes a single point of failure.

                            Under Services > DNS Forwarder or Services > DNS Resolver (depending on what version of pfSense was originally installed, unless you've manually switched to DNS Resolver) create a domain override:

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              And still no actual answer to what point is using pfsense when you have AD that requires DNS and has it right there running anyway.. Why would you point member clients of AD to anything other than your AD dns and dhcp, one good reason??

                              Having multiple forests sure and the F is not a valid reason.. Or do you think it is?  Please explain..

                              "Keep in mind pfSense becomes a single point of failure."

                              So sure you create a domain override - but for what Freaking reason?  As you state you no create failure point..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • T
                                ThatGuy
                                last edited by

                                I'm new to pfSense 2.3 and as with some others I like to setup DHCP and DNS on my routing appliances and not Windows Server.  Joako is right on the money.  By doing what he suggests it works great.  No AD or Group Policy errors on workstations authenticating to the DC/AD Server.  Works for me.

                                ThatGuy

                                1 Reply Last reply Reply Quote 0
                                • J
                                  JasonJoel
                                  last edited by

                                  @johnpoz:

                                  And still no actual answer to what point is using pfsense when you have AD that requires DNS and has it right there running anyway.. Why would you point member clients of AD to anything other than your AD dns and dhcp, one good reason??

                                  Having multiple forests sure and the F is not a valid reason.. Or do you think it is?  Please explain..

                                  "Keep in mind pfSense becomes a single point of failure."

                                  So sure you create a domain override - but for what Freaking reason?  As you state you no create failure point..

                                  I thought in order to use DNSBL in pfBlocker you HAD to run DNS through pfSense?

                                  Jason

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    "I thought in order to use DNSBL in pfBlocker you HAD to run DNS through pfSense?"

                                    What does that have to do with your AD dns???  You point your clients to your AD dns.. You then have your AD dns ask pfsense that is running unbound and using pfblocker  For stuff it is not authoritative for, simple forward setup in AD dns..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      JasonJoel
                                      last edited by

                                      @johnpoz:

                                      "I thought in order to use DNSBL in pfBlocker you HAD to run DNS through pfSense?"

                                      What does that have to do with your AD dns???  You point your clients to your AD dns.. You then have your AD dns ask pfsense that is running unbound and using pfblocker  For stuff it is not authoritative for, simple forward setup in AD dns..

                                      I see your point, and I agree your technically correct. I chose to do DHCP in pfSense instead of my DCs because I have a lot of other non-AD subnets and choose not to DHCP relay. So if I'm going to use DHCP for the non-Windows subnets in pfSense, I might as well do it all there so I don't have to manage DHCP 2 different places - even though I admit that makes the AD subnet DHCP configuration less robust/reliable.

                                      Jason

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        "I might as well do it all there so I don't have to manage DHCP 2 different places"

                                        Well depends on how many clients you have in AD and nonAD..  I personally would let AD clients get dhcp from AD.. This is how MS designed it ;)

                                        But where dhcp comes from has little to do with dns..  Be it you point your nonAD to pfsense for dns would depend on if they need to resolve lots of stuff in AD dns..

                                        Your clearly running 2 dns setups now.. Not sure what you have against dhcp relay?  This would allow all dns to be in AD for all your clients, and since they would be getting dhcp from there it would be a cleaner setup.

                                        If you want pfsense itself to resolve your AD stuff then sure it needs to know where to go ask for dns via a domain override.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          joako
                                          last edited by

                                          @johnpoz:

                                          And still no actual answer to what point is using pfsense when you have AD that requires DNS and has it right there running anyway.. Why would you point member clients of AD to anything other than your AD dns and dhcp, one good reason??

                                          Having multiple forests sure and the F is not a valid reason.. Or do you think it is?  Please explain..

                                          "Keep in mind pfSense becomes a single point of failure."

                                          So sure you create a domain override - but for what Freaking reason?  As you state you no create failure point..

                                          If I use Windows DHCP then I have to buy a CAL for each iPhone an employee connects to the wifi.

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            "If I use Windows DHCP then I have to buy a CAL for each iPhone an employee connects to the wifi."

                                            Says freaking who???  You sure and the F do not need a cal to handout dhcp lease…  There is nothing in MS that checks for this..

                                            Does your user not have a cal already??  Your doing device cal licensing??

                                            If your doing user based cals the user could have 100 devices using server resources..  If your using device licensing then sure legally this would be a requirement but who does device licensing this never makes sense..

                                            Also I have never seen a company actually pay that close attention to MS licensing from hell.. If your going to take it to the letter of the MS requirement then pretty much every single business on the planet that has a windows machine would fail ;)

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.