[Freeipa-users] Trust relationship redundancy

Wed Nov 5 20:36:02 UTC 2014

On Wed, 05 Nov 2014, William Muriithi wrote:
>‎Peter,
>‎ 
>Sorry, missed your response earlier.
>On 4.11.2014 21:57, William Muriithi wrote:
>> Afternoon,
>>
>> I have two AD and would like to retain that redundancy within IPA after
>> establishing trust relationship. How would one achieve that?
>>
>> I have attempted the following:
>>
>>
>> [root at ipa3-yyz-int ~]# ipa dnszone-add example.local
>> --name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local
>> --admin-email='systemadmin at example.com' --force --forwarder=10.10.10.90
>> --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.90
>> --ip-address=10.10.10.91
>> ipa: ERROR: invalid 'idnssoamname': Only one value is allowed
>>
>> And got the following error above
>>
>
>>Hello,
>
>>Could you explain what you are trying to achieve, please?
>
>Was trying to make sure trust remain in place even if we loose one of the master master AD
>
>>What version of FreeIPA do you use?
>
>Version 3.3. Default on centos 7 with all updates applied. Not at office at the moment so can't post rpm precise version 
>
>>Commands 'ipa dnszone-*' manage DNS and are >not strictly related to AD trusts.
>>If you add DNS zone to one IPA server it is >automatically served by all other
>>servers. This applies to master & forward zones >too.
>
>Ah. I see. I misunderstood the documentation then.
>
>So, would ipa know there are two active directories in the network even
>without being explicit on the configuration? I am guessing through DNS?
IPA uses DNS SRV records to discover AD DCs to talk to. You can read
more about the mechanism Windows uses to discover services via DNS here:
http://msdn.microsoft.com/en-us/library/cc717360.aspx

If you want redundancy on Active Directory side, make sure DNS zone for
Active Directory forest contains SRV records as explained in the MS-ADTS 6.3.6.1
and these records mention all required servers.

-- 
/ Alexander Bokovoy