[Freeipa-users] Disadantages of using external DNS
Petr Spacek
pspacek at redhat.com
Wed Dec 12 17:42:17 UTC 2012
On 12/12/2012 06:09 PM, Rashard.Kelly at sita.aero wrote:
> What are the disadvantages of using an external DNS source?
You have to create and update all records by hand. Generally, it will work if
you are careful. Also, you will get quest after adding a new IPA replica,
potentially after adding a host to IPA realm and so on.
> My three options
> are install DNS services on the IPA server,
That is the best way. It will provide seamless integration for you. All
records will be created and updated as necessary.
> use the local Active Directory
> DNS, or connect to a linux based DNS appliance.
Generally, they are external DNS servers. I'm not aware of any big differences
(from IPA point of view).
> Is it common not to use DNS at
> all if so what are the drawbacks?
You can run IPA without any DNS, but it will be pain. You have to configure
each host with address of KDC etc. Generally, you have to statically
configurure /etc/krb5.conf, /etc/sssd* and others.
We don't support that (in other ways than recommendations). Also,
configuration without DNS will not work with AD trusts.
> My goal is consolidating all local administration of users to a centralized
> place in our environment. I have been reading the documentation and the
> mailing list archives, forgive me If I have overlooked this answer.
I would recommend to add a sub-domain for IPA and let IPA to manage this sub
domain.
If you are in AD shop "example.com", then you can create sub-domain
"ipa.example.com" and delegate (via NS+A records) this ipa sub-domain from AD
server to IPA server with integrated DNS.
Some very basic info can be found in
https://fedorahosted.org/freeipa/ticket/3268
specifically
https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2
Let us know if you need any assistance.
>
> Thanks,
> Rashard
>
>
>
>
> This document is strictly confidential and intended only for use by the
> addressee unless otherwise stated. If you are not the intended recipient,
> please notify the sender immediately and delete it from your system.
Good joke (on public mailing list) :-D
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list