Internet to network only works if Windows DC server is running, how to fix?

Started by opnuser1, October 09, 2024, 08:48:40 AM

Previous topic - Next topic
I have a bit of an unusual problem I've never been able to figure out.  I apologize in advance as I can't post any screenshots since my machines are in storage at the moment.  But this is a problem I was never able to fix, and I'll describe it as best as I can.
Before I had opnsense, I had just a regular wifi router.  I have a bunch of windows machines running on a Windows AD network.  When I got the opnsense machine, I placed it in front of everything.  The problem I have is that the internet to all the machines only works if the Windows domain controller server is connected.  I'd like the internet to work even if the DC is not connected, if that is even possible.  I'd like to do this without needing to move that role to opnsense since like I said it's a whole windows network.

Is there a way to do this?  As far as I remember, in opnsense, I had to put the internal lan name of the domain controller in the section of opnsense for general, system somewhere.  And everything works fine, I was wondering if there is a way for the internet to get passed through even when the DC is not actually connected.  or any other workaround where I can still have the windows DC handling those roles without transferring to opnsense that accomplishes the same thing.

Sorry if the info is not specific enough, this is the best I can remember.

For an active directory domain to function all member systems must use the DC(s) and the DC(s) only as their DNS server(s).

Also you probably have DHCP running on your DC?

To have OPNsense take over has a high probability of breaking your domain - so why do you want to change what is supposed to work in exactly this way?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Ah yes, thank you for the response.  Yes you just reminded me of something.  I don't have the DHCP role on the windows DC, I actually am using opnsense for that and prior to that, I was using the DHCP on my regular wifi router.  Perhaps this is an issue also?  I was intending on moving it to the Windows DC.

I don't necessarily want to do anything weird, I just remember that before I used opnsense and just had that router, if the DC went down, the rest of the machines still had internet access.  I am trying to come up with a way to have that working with opnsense as well, if possible. 

In your DHCP, you could hand out the DNS servers like this:

1st: DC DNS address
2nd: firewall DNS address

There may be a delay as the client switches between the two, and there might be problems with the DC.

Also, it's not required to run Windows DNS, but the domain controller must have access to update records on the third party DNS server. If you want to figure that part out, and configure your DC to work like this, then you can specify a different DNS server, and that server might be able to run on your firewall. Lots of mights and maybes, but it should work. Lots of systems have Windows AD and Unix/Linux DNS and DHCP running, it's just a process of setting everything up properly to talk to each other and update properly.

Quote from: Greg_E on October 10, 2024, 03:20:37 PM
In your DHCP, you could hand out the DNS servers like this:

1st: DC DNS address
2nd: firewall DNS address

This makes for all sorts of "interesting" failure modes unless you put a DNS forward for your internal domain in the Unbound config.

Services > Unbound DNS > Query forwarding

Add two entries:

- Domain: mydomain.lan
- Server IP: IP of your DC
- Server Port: 53

- Domain: _msdcs.mydomain.lan
- Server IP: IP of your DC
- Server Port: 53

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

You are right, it can be problems, and a lot of problems when using AD (been there, done that). The better choice would be configuring AD to use the firewall DNS.

Thank you gentlemen, for these responses.  Sorry for the delay.  I may be able to connect the machines soon and try these things out.  In the meantime, I am studying what you wrote and learning to see what I should do.  I'll respond again shortly.

Hi guys, I have the network up and running now.  So I found the only place in opnsense where I use the Windows DC information is here.
in DHCP4 > LAN
for DNS servers I put the ip address of the Windows DC server (192.168.1.78)
for the domain name i put the local lan name. (local.lan)

I found that without these settings, the network doesn't really work well.  But as I mentioned, if the DC is not connected, the internet is not accessible at all for any of the computers in the network.  I'd like the internet to still work, even if the DC is offline.  When I didn't use opnsense, and just used a router, this was the behavior...with the DC offline, the internet still worked with the router.

If there is a better way to configure this stuff, please advise.  Thank yo.


This is kind of a question for Patrick:

Could conditional forwarders bet setup in Unbound and the DC so that domain clients can use the firewall as DNS unless they are looking for a service from the DC? It's hacky and backwards, but would this work?

And that said, can Unbound use conditional forwarders? Is that the domain override tab? Setting these Windows to Windows is trivial but I'm not sure about Unbound or any of the other DNS server available in OPN.

Quote from: Greg_E on December 18, 2024, 03:43:22 PMCould conditional forwarders bet setup in Unbound and the DC so that domain clients can use the firewall as DNS unless they are looking for a service from the DC? It's hacky and backwards, but would this work?

Perfectly valid and prefered IMHO (but that's arbitrary, as almost all IT design ;-)). AD heavily depends on DNS, but "the Internet" was here decades before, so you don't have to hijack your main DNS infratructure by MS AD DNS, just as an add-on (Query Forwarding).

QuoteAnd that said, can Unbound use conditional forwarders? Is that the domain override tab? Setting these Windows to Windows is trivial but I'm not sure about Unbound or any of the other DNS server available in OPN.

Services: Unbound DNS: Query Forwarding would be the right place, be sure to not only forward your "primary" AD domain, but _all_ your reverse lookups too, so "100.168.192.in-addr.arpa", "101.168.192.in-addr.arpa", etc should be forwarded to the AD DNS (Kerberos, etc).

Beware that forwarding your AD DNS to your primary DNS infrastructure (OPNsense) assumes some redundancy, if your single forwarding OPNsense box is down, your (MS AD) DNS is down (from a client perspective).

The best solution would be to run a standalone DNS and have it on always. My larger IT department does this with some kind of linux/unix DNS servers (and DHCP). I'm not sure what kind of work they need to do with the AD and Azure, might be as simple as having AD update this standalone DNS, another config option when building your AD. Windows AD does not require Windows DNS, but it does require a DNS server it can modify.

That said, it's much easier to just blast through the vanilla AD install and let it handle the Windows DNS (nice and integrated), which is I'm guessing what the OP did when setting up the DC.

If I was the OP, and I wanted a DC running, I'd buy a "cheap" little pc and just run it. I have Zentyal CE running at home on a Mele Quieter2 which is a very low power device. It works, and it works fine for DNS, DHCP, etc. If the goal is to learn Windows Server, then buy this small PC and run Zentyal CE on it, join it as a second DC to the Windows domain and make it the primary DNS and DHCP server so it can run all the time.

Quote from: Greg_E on December 18, 2024, 03:43:22 PMThis is kind of a question for Patrick:

Already answered in detail here:

https://forum.opnsense.org/index.php?topic=43296.msg215460#msg215460

Configure like I outlined, distribute OPNsense IP adress as the only DNS server via DHCP.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on October 10, 2024, 03:27:11 PM
Quote from: Greg_E on October 10, 2024, 03:20:37 PMIn your DHCP, you could hand out the DNS servers like this:

1st: DC DNS address
2nd: firewall DNS address

This makes for all sorts of "interesting" failure modes unless you put a DNS forward for your internal domain in the Unbound config.

Services > Unbound DNS > Query forwarding

Add two entries:

- Domain: mydomain.lan
- Server IP: IP of your DC
- Server Port: 53

- Domain: _msdcs.mydomain.lan
- Server IP: IP of your DC
- Server Port: 53

HTH,
Patrick
when i try to add the _msdcs.mydomain.lan it says "A valid domain must be specified." and I am unable to continue.  I can't seem to get past it.

edit... I just checked and it's the underscore that it won't accept.  Not sure how to get around it.

Quote from: opnuser1 on December 22, 2024, 09:35:09 AMwhen i try to add the _msdcs.mydomain.lan it says "A valid domain must be specified." and I am unable to continue.  I can't seem to get past it.

edit... I just checked and it's the underscore that it won't accept.  Not sure how to get around it.

Open an issue on github - that's a bug.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)