Im trying to setup my Pihole to be the primary DNS for Windows clients trying to connect to Active Directory. So far, my search has been less than encouraging to say the least.
What I want to do is have the clients use the PiHole to look for the active Directory. If it doesn't find it, it will forward the request by using "conditional forwarding" to active directory. Active Directory will reply and allow new Windows client to join the Windows Domain Controller.
The current setup is Router (ubiquiti USG-3P) is the DHCP server.
Pihole serves DNS queries for all clients of all O/S's.
Want: Windows Active Directory to be access by new Windows 10/11 clients to be able to join.
If I setup the new clients' DNS to point directly to the Active Directory, it will successfully join. But once I put them back on the PiHole DNS, queries/joins fail.
The Windows server with AD has Windows DNS setup, and those have forwarders set to PiHole, which I think isn't ideal as it could create a "loop". However, if Pihole is setup to "conditionally forward" DNS queries, AD should reply and that will be good.
I've tried the Conditional Forwarding in PiHole as follows:
LocalNetwork IN: 192.168.1.0/24
domain: myhomedomain.home
address of your DHCP server: 192.168.1.1
Other things that I've tried:
remove (uncheck) the conditional forwarding settings
then use custom upstream and added the Windows AD server IP (192.168.1.17)
Another try was:
add the AD to /etc/hosts as ad.myhomedomain.home ad
Your interpretation of what I'm trying to accomplish is correct.
Why do I want this setup? (i.e.
Windows Machines -> Pi-hole -> Windows AD Server
.)
That's because I can log and control each machine without spreading it out between AD and Pihole for DNS. AD would just do GP auth & management. It's much simpler to know where to look for things long term.
Putting your AD server before Pi-hole in your DNS resolution chain will make your AD server the only client of Pi-hole. Without further measures, you won't be able to attribute DNS requests to individual clients that way.
I think your intended original configuration was correct:
Clients --> Pi-hole -------> public DNS resolvers
| ^
+-- via CF --> Windows AD Server -+
But your actual CF configuration looks wrong:
I guess that's your router on 192.168.1.1?
In your case, that should be your AD's IP address.
If for some reasons you would still need your router to also answer some of the DNS requests relating to local names, you could create a custom dnsmasq configuration file for a distinctive second target (i.e. an additional Conditional.Forwarding).
If you do it the way rdwebdesign suggested, that would enable you to revert your AD back to its known working state. Then change the Windows Server's DNS to use only the Pi-hole, and the Pi-hole's upstream DNS to use whatever was previously being used by the Windows server (external DNS or router for DNS). Pi-hole can still be used to block unwanted domains for site-wide benefit, even if you don't see specific clients in there.
Before:
Clients --> Win Srv --> router or external DNS
After:
Clients --> Win Srv --> Pi-hole --> router or external DNS
So the better solution still is to "Conditional Forward" or "DNS Request routes". This way, any Windows AD related queries will be routed to it while website or internet requests will be immediately routed by PiHole.
Observation:
Even though my Windows client is using Pihole DNS servers, it doesn't always seems to work with queries like "ping pihole2" or "ping docker_containers".
May be I need to better understand how AD works. It seems that a DNS+DHCP handled by PiHole may be better as PiHole will know what machine?
Hey @okynnor I stumbled across this reddit post which may help you. It seems that the first commenter brod33p is doing the same as what you want. He's using a custom dnsmasq config to send AD queries to the DCs and let Pi-hole handle the none-domain queries directly. Worth a look, and some other commenters further down have other input too. Simialr to your earlier reddit post, but this includes some specific steps, files etc
If that's referring to a few lines in some /etc/dnsmasq.d/02-custom.conf:
That may not be necessary, as it could be achieved by correctly configuring Pi-hole's Conditional Forwarding. I emphasise correctly here, as it would seem to me that okynnor's original attempt was flawed:
So before venturing into custom configs, I'd like to resuggest trying to replace 192.168.1.1 by the respective AD's IP address in Pi-hole's Conditional Forwarding UI.
HOLY! It worked, @Bucking_Horn !!
THANK YOU. So simple and elegant was the solution.
Steps I took to check that it's actually working on the Windows workstation now connected to AD.
Did it join the domain without any errors? YES!
successfully logged and downloaded GP policies
confirmed again by running gpupdate /force - computer policy update has updated successfully.
ran ifconfig /all - the DNS was indeed pointing to the two DNS server -- not to AD
checked on Pihole to make sure that the new workstation was actually showing on the Pihoile by looking at the Query logs -- YES, it was! (though the name was different from the Windows computer name -- that is: PiHole display : WINU9IAD9EFG6F.mydomain.home and Windows machine full device name: DESKTOP-J7N8GRB.ad.mydomain.home
On point #4, even if it the name don't watch, as long as it is blocking (and it is blocking unwanted ads), I'm happy.
If I missed anything on my domain join confirmation tests, please let me know.
