[Freeipa-users] need info on AD / IPA coexistence

Fri Feb 24 02:44:59 UTC 2012

I think we are doing the same thing here, seemed to have arrived at the same conclusion!.....I have the AD DNS servers hand off the sub-domain to the IPA servers, so they are the masters for all things linux/unix, the reverse IP domains on the IPA servers are slaved from the AD DNS however as the subnets are mixed clients.  This means I have to add linux servers manually in the reverse AD zones, not sure what I will do with clients as they are dhcp, have a look to see if I can do dns updates for a client dynamically....

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Craig T [freeipa at noboost.org]
Sent: Friday, 24 February 2012 3:27 p.m.
To: Brian Cook
Cc: Steven Jones; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] need info on AD / IPA coexistence

Hi Brian,

I spent a lot of time on this topic. In the end we decided to do the
following;

Microsoft domain: melb.example.com
Linux Domain: group.example.com

The linux DNS server is a slave to the Windows AD DNS servers & a
master DNS for "group.example.com".

All PCs point to our Linux DNS server which is hosting a slave copy of
the melb.example.com. Amazingly this all works fine.

note: at the moment at least, we are keeping two separate user lists. I
had sync working at one stage, but couldn't get the group memberships to
come over correctly when going from Linux --> AD.

cya

Craig

On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote:
> I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS.  Trying to figure out what the problem is.  I understand your delegated dns setup.  What if the customer must use AD for all DNS?
>
> -Brian
>
> On Feb 23, 2012, at 3:28 PM, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
>
> > Hi,
> >
> > Subnet? IP addressing will not matter its DNS as the main issue, for me anyway.,  I cant see IP / sunbets matter?
> >
> > So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled.
> >
> > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is "independent but referenced...
> >
> > eg I find the auto-discovery is working fine...
> >
> > So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to  DNS the IPA servers get that for them from AD.....
> >
> > I have some visio diagrams of how I have done it if you want them....it may not be the best way? but with so little architecture info available its all I have.
> >
> >
> > regards
> >
> > Steven Jones
> >
> > Technical Specialist - Linux RHCE
> >
> > Victoria University, Wellington, NZ
> >
> > 0064 4 463 6272
> >
> > ________________________________
> > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Brian Cook [bcook at redhat.com]
> > Sent: Friday, 24 February 2012 9:59 a.m.
> > To: freeipa-users at redhat.com
> > Subject: [Freeipa-users] need info on AD / IPA coexistence
> >
> > I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different.  I have not been able to find good concrete information or BZ's regarding this.  I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc.  I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments.  Any help or information would be appreciated.
> >
> > Thanks,
> > Brian
> >
> > ---
> > Brian Cook
> > Solutions Architect, West Region
> > Red Hat, Inc.
> > 407-212-7079
> > bcook at redhat.com<mailto:bcook at redhat.com>
> >
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users