Running a domain controller in AWS with pfSense was one of the main goals I had for this whole project. It took a fair bit of research to get everything up and running but I eventually figured it out with the help of the pfsense.org forum (thanks, guys!).
This tutorial assumes you are using the pfSense DNS Resolver.
If you followed the previous tutorial, you are set up to the point where we established a successful site to site VPN tunnel between our AWS VPC and the pfSense firewall inside our company network. Now I will not show you how you set up a domain controller as an EC2 instance, there are plenty of tutorials out there (If you want that I cover it let me know in the comments tho.)
I assume you know how to promote a Windows Server 2016 to a domain controller.
So why an extra tutorial on that? Because we somehow need to forward DNS requests to our domain controller, so our clients can talk to the domain controller and to each other.
pfSense will still handle all outgoing DNS requests pointed towards the internet, we will set pfSense up to only override DNS requests pointed towards to our domain.
If you try to add a client to your domain, you will not be able to do so because pfSense doesn’t have a DNS entry for your domain.
Let us go through the steps real quick.
Part 1 Setting up a Domain Override in pfSense
1.1 Setting up a Domain Override in pfSense - Open your pfSense Web Interface and navigate to: Services / DNS Resolver / General Settings and scroll all the way to the bottom - Click on +Add under Domain Overrides
1.2 Setting up a Domain Override in pfSense - 1 Check if you are on Services / DNS Resolver / General Settings / Edit Domain Override - 2 Enter the name of your Domain - 3 Enter the IP Address of your Domain Controller - 4 Enter a description - Click on Save - Click on Apply Changes
1.3 Setting up a Domain Override in pfSense - Scroll down all the way to the bottom and check if the Domain Override was applied correctly
Now comes the part that caused me a little headache to figure out, but thanks to the pfSense forum again, I was able to find a solution. This problem seems to be around for many years but gladly there is a workaround for that.
You need to change your Outgoing Network Interfaces on the DNS Resolver from ALL to LAN + Localhost.
Part 2 Applying the workaround
2.1 Applying the workaround - Navigate to Services / DNS Resolver / General Settings - Find Outgoing Network Interfaces - Mark ONLY LAN and Localhost - Scroll down and click on Save - Click on Apply Changes
And that’s it! Now you should be able to join your domain with a computer inside of your local network. If you have any suggestions leave them below in the comment. I will also make a video on this soon.