[Freeipa-users] Trust relationship redundancy

William Muriithi william.muriithi at gmail.com
Wed Nov 5 20:21:53 UTC 2014

Sorry, missed your response earlier.
On 4.11.2014 21:57, William Muriithi wrote:
> Afternoon,
> I have two AD and would like to retain that redundancy within IPA after
> establishing trust relationship. How would one achieve that?
> I have attempted the following:
> [root at ipa3-yyz-int ~]# ipa dnszone-add example.local
> --name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local
> --admin-email='systemadmin at example.com' --force --forwarder=
> --forwarder= --forward-policy=only --ip-address=
> --ip-address=
> ipa: ERROR: invalid 'idnssoamname': Only one value is allowed
> And got the following error above


>Could you explain what you are trying to achieve, please?

Was trying to make sure trust remain in place even if we loose one of the master master AD

>What version of FreeIPA do you use?

Version 3.3. Default on centos 7 with all updates applied. Not at office at the moment so can't post rpm precise version 

>Commands 'ipa dnszone-*' manage DNS and are >not strictly related to AD trusts. 
>If you add DNS zone to one IPA server it is >automatically served by all other 
>servers. This applies to master & forward zones >too.

Ah. I see. I misunderstood the documentation then.

So, would ipa know there are two active directories in the network even without being explicit on the configuration? I am guessing through DNS?

If not, what would be needed to clue it of this fact?

>To get full redundancy for *master* zones you >have to add all names of IPA DNS 
>servers to NS records in the zone and also to its >parent zone. (BTW FreeIPA 
>4.1 will manage in-zone NS records automatically for you.)

>For forward zones you don't need to do anything >else. It should just work.

Petr^2 Spacek



Freeipa-users mailing list
Freeipa-users at redhat.com

End of Freeipa-users Digest, Vol 76, Issue 10

More information about the Freeipa-users mailing list