<div dir="ltr"> <div><div><div><div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Message: 2 Date: Mon, 27 Jul 2015 17:30:09 +0300 From: Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>> To: John Stein <<a href="mailto:tde3000@gmail.com">tde3000@gmail.com</a>> Cc: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] AD trust deployment without IPA authority over reverse lookup zone Message-ID: <<a href="mailto:20150727143009.GC21928@redhat.com">20150727143009.GC21928@redhat.com</a>> Content-Type: text/plain; charset=us-ascii; format=flowed On Mon, 27 Jul 2015, John Stein wrote: >Hi, > >I consider deploying IPA in my organization.The environment is disconnected >from the internet.I have some concerns I'm not sure how to resolve. > >The environment consists mostly of windows servers (thousands) and >workstations (ten thousand) managed by AD (<a href="http://CORP.COM" rel="noreferrer" target="_blank">CORP.COM</a>). There is also a small >linux environment (up to a thousand servers) that are currently not >centerally managed (user-wise). > >I want to utilize IPA and the AD trust feature to implement SSO. > >I'd like to have a sub-domain ran by IPA (<a href="http://LINUX.CORP.COM" rel="noreferrer" target="_blank">LINUX.CORP.COM</a>). > >Because the environment is windows dominated, the AD is used as the >authoritative DNS server for all forward and reverse lookup zones. > >The AD trust requires that both the IPA and AD will be authoritative over >their respective forward and reverse lookup zones. However, the linux and No. We require that *some entity* is responsible for the zones. If you put everything in AD DNS, fine, but then you are responsible for manual update of the zone records and that all specific records are there. >windows servers are spread across multiple subnets without any big-scale >logic, therefore it is not practical to create a reverse lookup zone for >each subnet in the IPA server as those subnets contain both linux and >windows machines. You cannot have machines from IPA and AD domains in the same DNS zone at the same time. A/AAAA records of those IPA and AD machines must belong to different DNS zones. This is basic requirement of Active Directory deployment -- each AD domain is responsible for at least one DNS zone and you cannot have machines from two different AD domains in the same DNS zone. >I came up with some solutions: > >1) Have only the AD as a DNS server and give up on ipa-client-install and >automatic client registration. Totally unrelated to how you handle DNS zones. ipa-client-install does not require you to allow creation of DNS records. It can sufficiently work with a configuration where a DNS record for the host is pre-created. >2) DNS synchronization between IPA and AD. Unrelated and is not recommended. In DNS lexicon only a single entity is responsible for the single DNS zone. IPA cannot be authoritative at the same time as AD. (Neither we support IPA being a slave for other DNS server). >3) Have the IPA manage the forward zone (<a href="http://linux.corp.com" rel="noreferrer" target="_blank">linux.corp.com</a>), and have the >clients update its own A record automatically upon ipa-client-install, >while having the AD manage the reverse zones (A or B class subnets) with me >creating the PTR records manually. The IPA will be configured as a >conditional forwarder for <a href="http://linux.corp.com" rel="noreferrer" target="_blank">linux.corp.com</a>, while the AD will be configured >as a global forwarder in the IPA server. That would work. There is a bug in nsupdate tool that prevents you from GSSAPI-updating PTR records (over AD trust) so going with manual PTR records would work. You need to make sure AD has no policy to periodically remove PTR records for Linux machines. -- / Alexander Bokovoy </blockquote><div> </div></div> </div></div></div></div></div></div>