[Freeipa-users] Partial Domain Authority
Simo Sorce
simo at redhat.com
Tue Apr 8 22:06:58 UTC 2014
On Tue, 2014-04-08 at 16:42 -0500, Justin Brown wrote:
> I'm sure that I'm doing this very wrong, but I'm wondering if anyone
> can offer any solutions.
>
> I currently have a relatively small domain that's used internally.
> Let's say fandingo.org. This domain covers various class C networks on
> 192.168.0.0/16. Currently, there's an Active Directory server that
> provides internal (and forwarding) DNS for fandingo.org. I'm in the
> experimentation phase with FreeIPA in this environment and don't want
> to modify anything outside of FreeIPA for the time being.
>
> FreeIPA is setup with DNS and has the fandingo.org domain controllers
> setup as forwarders. I have my laptop joined to the FreeIPA domain,
> but that's where the problem starts. I can correctly resolve any
> *.fandingo.org resource in FreeIPA. The problem is that I want to
> resolve *.fandingo.org resources that are defined in the Active
> Directory DNS.
>
> Does anyone know how I can configure FreeIPA/BIND to forward all
> requests (even those for its own domain) that it can't satisfy rather
> than returning NXDOMAIN?
Is FreeIPA shadowing an AD domain ?
Ie are the Ad domain and FreeIPA domain using the same domain name ?
That would be bad.
If you want to manage fadnigo.org in AD it would be a better idea to
create a ipa.fandingo.org domain for IPA. Then set forwarders *both* way
(or just delegate the domain from AD), to IPA, so all clients regardless
of what DNS server are using can resolve both *fandingo.org hosts (via
AD DNS) and *.ipa.fandingo.org hosts (via FreeIPa DNS).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list