AD, DHCP, DNS Reconfiguration on my network

[Roaming Builder]

Interested in seeing where you end up

I can certainly post after everything is configured. I am setting up the T30 now to replace my PDC. It IS much larger than I thought it was going to be, but it is almost silent. I might actually keep it up in my office and run a dedicated networking drop for it.

 

[littleredwagen]

With my setup I run my two servers 24/7, some media services etc both on Hyper-V in the event the batteries die the machine are set to restart on power restoration. Since I used windows AD DS, DNS DHCP. I have added DCs to both hosts with DNS servers. (I have 3 DNS servers running) and have DHCP fail over over to the other host so If one Physical machine goes the network still functions like nothing happened (with regard to those services)

 

[EricE]

I was looking at this little puppy Netgate SG-1000 microFirewall and it would make a great small device that would fit what I was trying to do with the t30, if I could still have AD functioning correctly.

While I'm a huge fan of pfSense and in general I want to support Netgate, I'm really peeved about the SG-1000.

First, it doesn't support QoS. I was looking to upgrade my parents firewall with the SG-1000 and since they are on a crappy DSL with a horrible uplink I was looking forward to prioritizing VNC so that when I am providing remote support the connection wouldn't totally suck

Also Netgate has recently announced that pfSense 2.5 will require CPUs with AES-NI for what, to me, look like no real good reason: pfSense 2.5 will only work with AES-NI capable CPUs.

I haven't seen confirmation, but I'd be shocked if 2.5 would be coming to the SG-1000. And while they state 2.4 will be supported for "at least" a year after 2.5 is released, for better or worse the SG-1000 appears to have an artificial limited lifespan. Which is annoying since it was a breath of fresh air - reasonably priced new hardware for pfSense.

And this AES-NI requirement shoots down the whole "use whatever you have to run a powerful firewall" too.

Sigh - I'm really hoping Ubiquity can step it up with the EdgeRouter and Unifi Security Gateways.

 

[EffrafaxOfWug]

Do any of you happen to know if it is possible to setup PfSense as DHCP/DNS in a way that it would not break AD, but would still allow internet access in an instance that I shut all of my AD/DNS/DHCP servers down?

Yes, and quite simple. Setup pfsense as your router and configure it to run a DNS server, which will use external DNS servers. Then your internal windows DNS servers can simply point to your pfsense router as a resolver for anything outside your AD domain - so your domain controllers will handle all the DNS for your domain, and pfsense will handle everything else.

It also allows greater flexibility internally, since you might want to segregate a few networks away from your AD stuff. This way someone on a guest network wouldn't need to be given access to your domain controllers, they could just be pointed straight at the pfsense DNS server.

As I understand it, DHCP does not have to be handled by Windows, but AD does require DNS to be handled in its sphere for all of the lookups that AD requires. But that doesnt mean that it has to be the ONLY dns.

DHCP can follow a similar model (yes, AD-integrated DHCP can be done outside of MS DHCP servers but it's a bit of a PITA); your segregated AD networks get their DHCP from the windows servers, all your other networks can get it from DHCP servers running elsewhere (like the pfsense box).

Personally I use dnsmasq as my DNS server since it also handles DHCP automatically (and will register local DNS names for DHCP-issued IPs without having to muck around with stuff like TSIG) and a samba4+bind9 setup for my internal active directory DNS. dnsmasq thus handles all DNS and DHCP duties for everything not on the domain networks, and samba+bind handles everything on the internal domain networks, referring up to dnsmasq when it needs to query t'internet-based DNS (although none of my domain machines have direct internet access).

S'about as KISS as you can get whilst still maintaining network segregation; you're not using managed switches so chances are you might have no interest in network segregation at all, but it's still easy to do with dumb switches - you just add more NICs to pfsense and get it to handle things through dumb switches instead - not as neat as a managed switch but cheaper for experimentation purposes.

 

[Rand__]

That works only as long as none of your other "services" depend on the internal DNS
I registered my vcenter & ESX hosts with my AD domain (didn't think about implications) so each time my PDC is down I had issues with my vCenter *doh*.
local host file resolved this o/c but its a lesson to think about dependencies - will have to rework my DNS setup at some point as well to cover that.

 

[EffrafaxOfWug]

Even if you're heavily integrated into your current DNS infratructure, it's easy to solve with a turtles all the way down approach. It's pretty easy to set up a DNS replica of your internal AD DNS even just on a dumb secondary so that even if you turn off all your AD DNS servers you'll still have a backup one available somewhere. These days the resource requirements of running a DNS server are effectively nil so there's no reason for not having multiple servers available for whenever you decide to bounce one of your DCs.

 

[Rand__]

Hm will have to look out how to do that then - was hoping to mirror to my UTM but havent got a clue how to do that Will need to read up then

 

[EffrafaxOfWug]

Feel free to ignore me as it's likely my own setup might be overcomplicate for your needs. But even if you've only got the one combined domain controller with DNS (which will thus break both authentication and DNS whenever its down) DNS is basically designed with massive degrees of redundancy in mind so that you can spin identical replicas of every zone to your heart's content.

 

[Rand__]

Yes I can setup a second Win DNS server, that should be no issue.
But ideally I'd move that role to the second DNS I already have for external systems ...
But thats a hierarchical issue then.. ah will have to think about that
Maybe i just stand up a second PDC, that will take care of a bunch of issues then

 

[Indrek]

I haven't seen confirmation, but I'd be shocked if 2.5 would be coming to the SG-1000.

As far as I can see, the AES-NI requirement only applies to x86-based systems. The SG-1000 is ARM-based and has a dedicated crypto accelerator that performs the same duties. Straight from the horse's mouth:

On ARM-based systems, the additional load from AES operations will be offloaded to on-die cryptographic accelerators, such as the one found on our SG-1000.

Based on this, I would assume the SG-1000 will indeed get 2.5.

 

[EricE]

Based on this, I would assume the SG-1000 will indeed get 2.5.

Excellent catch - thanks. It still stinks the SG-1000 can't do QoS