Active Directory DNS

Guest

Hi, I am new in the community and this is the first time that I will use pfsense in our office I would like to ask what configuration that I needed to resolve our Domain Controller DNS to pfsense box. This is my setup

• Pfsense will handle DHCP
• We have 2 domain controller 10.10.0.6 and 10.10.0.7

Thank you for your help.

Derelict

Let AD handle DNS and DHCP.

Guest

I configured the dns server to the domain controller. Is there anyway that dchp will be in pfsense box?

Derelict

I say again. Let AD handle DNS and DHCP.

johnpoz

What possible benefit could there be to have pfsense do dhcp, when you clearly have 2 DC that are more than capable of providing dhcp..

Name 1 reason not to just do it on the DC, which makes for easier name resolution of AD members, etc. etc.  Since you stated you have 2, you can do dhcp failover.  Do you have any other servers?

https://technet.microsoft.com/en-us/library/hh831385.aspx
Step-by-Step: Configure DHCP for Failover

Guest

Yes we do have 2 DC running on our network, and it is configured on 2 vsphere servers  (1 DC each server). Technically it is running thru vmware and there are a some servers also that is running to that server

Derelict

So why are you looking for something else to do DHCP or DNS?

Guest

These servers are located on different area in the office but since the building is very old power keeps on flactuating and server goes down. The area where I will put the pfsense box is the most stable power supply however it cannot handle a lot of server. Thats why as much if it is possible that I can use the pfsense as DHCP and the DNS will be on the DC. Currently we mikrotik router but since it is old I will switch to pfsense. 10.10.0.6, 10.10.0.7 (DC) and 10.10.0.1 (router)  are configured under DHCP -> DNS and it works well, however when I tried to configured it in PFsense the host are getting hard time to pick up ip address to the pfsense box.

Derelict

Effing fix your power or move your DCs. Christ.

johnpoz

^ yeah that would be my suggestion as well.. WTF???

SobyOne

I use the same configuration because I have multiple independent domain names (forests) on my network.

You should be able to configure the DHCP to work in this way, although it's designed by default to point the WAN toward your gateway.

In your scenario, I would use the following:

DNS Entries
  10.10.0.6
  10.10.0.7

Gateway
  10.10.0.1

I found I also needed to add the DNS entries to System -> General for pfSense to resolve machine names.


joako

I'll be the odd one out. This is how I've always done it and it's never been an issue. Keep in mind pfSense becomes a single point of failure.

Under Services > DNS Forwarder or Services > DNS Resolver (depending on what version of pfSense was originally installed, unless you've manually switched to DNS Resolver) create a domain override:

johnpoz

And still no actual answer to what point is using pfsense when you have AD that requires DNS and has it right there running anyway.. Why would you point member clients of AD to anything other than your AD dns and dhcp, one good reason??

Having multiple forests sure and the F is not a valid reason.. Or do you think it is?  Please explain..

"Keep in mind pfSense becomes a single point of failure."

So sure you create a domain override - but for what Freaking reason?  As you state you no create failure point..

ThatGuy

I'm new to pfSense 2.3 and as with some others I like to setup DHCP and DNS on my routing appliances and not Windows Server.  Joako is right on the money.  By doing what he suggests it works great.  No AD or Group Policy errors on workstations authenticating to the DC/AD Server.  Works for me.

JasonJoel

@johnpoz:

And still no actual answer to what point is using pfsense when you have AD that requires DNS and has it right there running anyway.. Why would you point member clients of AD to anything other than your AD dns and dhcp, one good reason??

Having multiple forests sure and the F is not a valid reason.. Or do you think it is?  Please explain..

"Keep in mind pfSense becomes a single point of failure."

So sure you create a domain override - but for what Freaking reason?  As you state you no create failure point..

I thought in order to use DNSBL in pfBlocker you HAD to run DNS through pfSense?

Jason

johnpoz

"I thought in order to use DNSBL in pfBlocker you HAD to run DNS through pfSense?"

What does that have to do with your AD dns???  You point your clients to your AD dns.. You then have your AD dns ask pfsense that is running unbound and using pfblocker  For stuff it is not authoritative for, simple forward setup in AD dns..

JasonJoel

@johnpoz:

"I thought in order to use DNSBL in pfBlocker you HAD to run DNS through pfSense?"

What does that have to do with your AD dns???  You point your clients to your AD dns.. You then have your AD dns ask pfsense that is running unbound and using pfblocker  For stuff it is not authoritative for, simple forward setup in AD dns..

I see your point, and I agree your technically correct. I chose to do DHCP in pfSense instead of my DCs because I have a lot of other non-AD subnets and choose not to DHCP relay. So if I'm going to use DHCP for the non-Windows subnets in pfSense, I might as well do it all there so I don't have to manage DHCP 2 different places - even though I admit that makes the AD subnet DHCP configuration less robust/reliable.

Jason

johnpoz

"I might as well do it all there so I don't have to manage DHCP 2 different places"

Well depends on how many clients you have in AD and nonAD..  I personally would let AD clients get dhcp from AD.. This is how MS designed it ;)

But where dhcp comes from has little to do with dns..  Be it you point your nonAD to pfsense for dns would depend on if they need to resolve lots of stuff in AD dns..

Your clearly running 2 dns setups now.. Not sure what you have against dhcp relay?  This would allow all dns to be in AD for all your clients, and since they would be getting dhcp from there it would be a cleaner setup.

If you want pfsense itself to resolve your AD stuff then sure it needs to know where to go ask for dns via a domain override.

joako

@johnpoz:

And still no actual answer to what point is using pfsense when you have AD that requires DNS and has it right there running anyway.. Why would you point member clients of AD to anything other than your AD dns and dhcp, one good reason??

Having multiple forests sure and the F is not a valid reason.. Or do you think it is?  Please explain..

"Keep in mind pfSense becomes a single point of failure."

So sure you create a domain override - but for what Freaking reason?  As you state you no create failure point..

If I use Windows DHCP then I have to buy a CAL for each iPhone an employee connects to the wifi.

johnpoz

"If I use Windows DHCP then I have to buy a CAL for each iPhone an employee connects to the wifi."

Says freaking who???  You sure and the F do not need a cal to handout dhcp lease…  There is nothing in MS that checks for this..

Does your user not have a cal already??  Your doing device cal licensing??

If your doing user based cals the user could have 100 devices using server resources..  If your using device licensing then sure legally this would be a requirement but who does device licensing this never makes sense..

Also I have never seen a company actually pay that close attention to MS licensing from hell.. If your going to take it to the letter of the MS requirement then pretty much every single business on the planet that has a windows machine would fail ;)