Active Directory and DNS with pfSense firewall

Hello all, I’m somewhat new to Active Directory as well as pfSense. I do have a basic knowledge of networking though I’m still learning. The company I work for has 3 locations, one of those locations being a “central” location (all servers hosted at central site and all remote users connect to central site). All sites are a part of a domain. Each site has a DC with DNS. RDS (host, broker, and license servers) has been deployed within the domain. Everything was running on Unifi firewalls. Firewalls handled DHCP at all 3 sites. I was getting fed up with the limitations of the USG and USG-Pro so I built 3 pfSense boxes. I’ve got them in place but with problems. DNS seemed flakey from the start. Websites wouldn’t always load but I wouldn’t see any extra latency or slow throughput. My guess was an issue between DNS resolution taking place in pfSense and in Windows Server. pfSense is my DHCP server for my AD network. Should I transition that over to my DC? What are the best practices for incorporating pfSense with AD? Any help, I would be highly appreciative of. Thanks.

When using Active Directory the AD servers should handle both DNS and DHCP.


LTS_Tom is correct you need to leave DHCP and DNS done by AD.

You can configure AD to forward any external website resolution to pfsense and any local name resolution done by Windows DNS. Once done check if name resolution becomes more stable.


What should I use on the pfSense side? Resolution or forwarding out to public DNS?

My suggestion to use DNS resolver.

1 Like

I don’t think you have to serve DHCP from the domain controller, but you do need to set the DNS option as your domain controller. Also, just make sure you have forwarders setup on the DCs as well and it should work.

I ended up disabling DNS resolution from pfSense on my AD LAN(only AD LAN) and set up forwarders on my DCs.

Thanks for all of the suggestions!