What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. <div class="gmail_quote">On Feb 12, 2014 10:49 AM, "Martin Kosek" <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 02/11/2014 07:29 PM, Genadi Postrilko wrote: > I work in environment where the AD is the DC of the windows machines , > while the linux machines (RHEL 5\6) are not centrally managed. > I would like to create an IPA server to manage the linux machines while > creating a trust with AD. > The current situation is all windows and linux machines are under > .zone.corp domain. >>From what ive read at > <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html</a>, > i can create trust when IPA is a subdomain of AD domain or when the > domains are separate. I'm not sure what is the method i should approach. > Can IPA be a dc inside the AD domain? Or should i create a subdomain for > linux and then move all the linux machines to the new domain (I hope not). > > Any advice? The key here is that for IPA and AD to be able to work together in a trust, they need to be in separate domains with realm matching this domains. In your case, it seems to me that a following scenario would work the best: * AD with domain zone.corp and realm ZONE.CORP * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated from the AD DNS (or other DNS you use). More info here: <a href="http://www.freeipa.org/page/Trusts" target="_blank">http://www.freeipa.org/page/Trusts</a> Martin </blockquote></div>