[Freeipa-users] need info on AD / IPA coexistence

Sylvain Angers sylvainangers at gmail.com
Thu Mar 8 16:54:34 UTC 2012 

Alright!

I am now requesting to our DNS team

please delegate dns zone "unix.abcd.ca" to ???
Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or
ipaserver.abcd.ca?

does it matter?

thanks

2012/3/8 Simo Sorce <simo at redhat.com>

> On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote:
> > Hi Again
> > Our current Linux/AIX servers fqdn should remain on abcd.ca domain
> >
> > I need an advice: Should the ipa server fqdn be ipa.abcd.ca or
> > ipa.unix.abcd.ca?
>
> You can have machines on a different DNS domain with FreeIPA.
> So you can use unix.abcd.ca for your IPA server and still install
> clients in abcd.ca.
>
> I think the onlt thing you should take care of is to make sure a
> abcd.ca -> UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm]
> section is available on all machines of the domain to avoid issues
> resolving the correct realm for clients in the other domain.
>
> On clients this should be autometed in the very last release but the ipa
> server needs to be configured after install.
>
> > and on the Linux/AIX server, should we add entry of both dns (ipa and
> > Microsoft AD) in resolv.conf?
>
> No, that would not work. What you should do is ask your DNS admin to
> delegate you the unix.abcd.ca zone. Once that is done it doesn't matter
> which DNS you are querying they will know who to ask.
> If delegation is not possible you could still use named forwarders in
> both IPA and AD so that each DNS server still know where to forward
> requests for the specific domain. This again will allow you to use
> whatever DNS your network uses and have queries properly forwarded
> around.
>
> > domain unix.abcd.ca
> > search unix.abcd.ca abcd.ca
> > nameserver ipa_adress
> > nameserver ad_adress
> >
> No, don't do this as a way to not configure the DNS servers, it won't
> work and will cause really confusing mis-behaviors if the DNS servers
> themselves do not know how to talk to each other.
>
> If delegation of zones or forwarding is properly set up though then this
> scheme would allow you to have a fallback when either infrastructure is
> temporarily unreachable.
> >
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>


-- 
Sylvain Angers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120308/b1304866/attachment.htm>

More information about the Freeipa-users mailing list