Internet to network only works if Windows DC server is running, how to fix?

[opnuser1]

I have a bit of an unusual problem I've never been able to figure out.  I apologize in advance as I can't post any screenshots since my machines are in storage at the moment.  But this is a problem I was never able to fix, and I'll describe it as best as I can.
Before I had opnsense, I had just a regular wifi router.  I have a bunch of windows machines running on a Windows AD network.  When I got the opnsense machine, I placed it in front of everything.  The problem I have is that the internet to all the machines only works if the Windows domain controller server is connected.  I'd like the internet to work even if the DC is not connected, if that is even possible.  I'd like to do this without needing to move that role to opnsense since like I said it's a whole windows network.

Is there a way to do this?  As far as I remember, in opnsense, I had to put the internal lan name of the domain controller in the section of opnsense for general, system somewhere.  And everything works fine, I was wondering if there is a way for the internet to get passed through even when the DC is not actually connected.  or any other workaround where I can still have the windows DC handling those roles without transferring to opnsense that accomplishes the same thing.

Sorry if the info is not specific enough, this is the best I can remember.

[Patrick M. Hausen]

For an active directory domain to function all member systems must use the DC(s) and the DC(s) only as their DNS server(s).

Also you probably have DHCP running on your DC?

To have OPNsense take over has a high probability of breaking your domain - so why do you want to change what is supposed to work in exactly this way?

[opnuser1]

Ah yes, thank you for the response.  Yes you just reminded me of something.  I don't have the DHCP role on the windows DC, I actually am using opnsense for that and prior to that, I was using the DHCP on my regular wifi router.  Perhaps this is an issue also?  I was intending on moving it to the Windows DC.

I don't necessarily want to do anything weird, I just remember that before I used opnsense and just had that router, if the DC went down, the rest of the machines still had internet access.  I am trying to come up with a way to have that working with opnsense as well, if possible. 

[Greg_E]

In your DHCP, you could hand out the DNS servers like this:

1st: DC DNS address
2nd: firewall DNS address

There may be a delay as the client switches between the two, and there might be problems with the DC.

Also, it's not required to run Windows DNS, but the domain controller must have access to update records on the third party DNS server. If you want to figure that part out, and configure your DC to work like this, then you can specify a different DNS server, and that server might be able to run on your firewall. Lots of mights and maybes, but it should work. Lots of systems have Windows AD and Unix/Linux DNS and DHCP running, it's just a process of setting everything up properly to talk to each other and update properly.

[Patrick M. Hausen]

In your DHCP, you could hand out the DNS servers like this:

1st: DC DNS address
2nd: firewall DNS address

This makes for all sorts of "interesting" failure modes unless you put a DNS forward for your internal domain in the Unbound config.

Services > Unbound DNS > Query forwarding

Add two entries:

- Domain: mydomain.lan
- Server IP: IP of your DC
- Server Port: 53

- Domain: _msdcs.mydomain.lan
- Server IP: IP of your DC
- Server Port: 53

HTH,
Patrick

[Greg_E]

You are right, it can be problems, and a lot of problems when using AD (been there, done that). The better choice would be configuring AD to use the firewall DNS.

[opnuser1]

Thank you gentlemen, for these responses.  Sorry for the delay.  I may be able to connect the machines soon and try these things out.  In the meantime, I am studying what you wrote and learning to see what I should do.  I'll respond again shortly.