pfSense with domain controller

drhans · February 18, 2025, 10:16pm

I’ve got a new pfsense box that i added for DNS and DHCP. I have some LAN clients that are part of a domain with a separate domain controller. After installing the pfsense device, those clients can no longer reach the domain controller for authentication. Everything else seems to be working, but obviously I missed some config settings. Google and chatgpt haven’t helped. Any suggestions on what I’m missing? Thanks!!

xMAXIMUSx · February 18, 2025, 10:57pm

Any firewall rules might be causing issues?

drhans · February 18, 2025, 11:12pm

I don’t really have any with this new install. Maybe I need some?

drhans · February 18, 2025, 11:36pm

Here is the error when I try to join the domain from the workstations:

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “WCC.LOCAL”:

The error was: “DNS name does not exist.”

(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.WCC.LOCAL

Common causes of this error include the following:

The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

192.168.1.10

1.1.1.1

8.8.8.8

One or more of the following zones do not include delegation to its child zone:

WCC.LOCAL

LOCAL

. (the root zone)

drhans · February 18, 2025, 11:50pm

Found it. I had the IP of the DC listed in the tertiary position of the pfsense DHCP DNS servers list. Apparently, the workstations were not attempting to use that DNS server when trying to connect to the DC. I moved the IP of the DC to the primary position in the list and poof, the workstations find it now.

LTS_Tom · February 19, 2025, 10:06am

When you have an AD server that should be handling the DNS and DHCP for the clients joined to AD.

Technophile · February 24, 2025, 8:23am

Can you explain why the AD server should be the one to handle the DHCP and DNS?

binnih · February 24, 2025, 10:08am

Simple answer, the client computers trust the domain server for dns and dhcp information and look for it. Technically you can use pfsense for it but it will create headaches on a regular basis. It is just easier in the long run to use the domain controller for dns and dhcp.

Edit: I personally have a separate dhcp server, that is not on the domain controller but another windows server that is a part of the domain but that is my personal choice.

LTS_Tom · February 24, 2025, 11:10am

Everything that @binnih said and to add some detail: AD uses DNS. So not having the AD server for DNS is where the headache happen.