[Freeipa-users] Trust relationship redundancy

Alexander Bokovoy abokovoy at redhat.com
Wed Nov 5 20:36:02 UTC 2014

On Wed, 05 Nov 2014, William Muriithi wrote:
>Sorry, missed your response earlier.
>On 4.11.2014 21:57, William Muriithi wrote:
>> Afternoon,
>> I have two AD and would like to retain that redundancy within IPA after
>> establishing trust relationship. How would one achieve that?
>> I have attempted the following:
>> [root at ipa3-yyz-int ~]# ipa dnszone-add example.local
>> --name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local
>> --admin-email='systemadmin at example.com' --force --forwarder=
>> --forwarder= --forward-policy=only --ip-address=
>> --ip-address=
>> ipa: ERROR: invalid 'idnssoamname': Only one value is allowed
>> And got the following error above
>>Could you explain what you are trying to achieve, please?
>Was trying to make sure trust remain in place even if we loose one of the master master AD
>>What version of FreeIPA do you use?
>Version 3.3. Default on centos 7 with all updates applied. Not at office at the moment so can't post rpm precise version 
>>Commands 'ipa dnszone-*' manage DNS and are >not strictly related to AD trusts.
>>If you add DNS zone to one IPA server it is >automatically served by all other
>>servers. This applies to master & forward zones >too.
>Ah. I see. I misunderstood the documentation then.
>So, would ipa know there are two active directories in the network even
>without being explicit on the configuration? I am guessing through DNS?
IPA uses DNS SRV records to discover AD DCs to talk to. You can read
more about the mechanism Windows uses to discover services via DNS here:

If you want redundancy on Active Directory side, make sure DNS zone for
Active Directory forest contains SRV records as explained in the MS-ADTS
and these records mention all required servers.

/ Alexander Bokovoy

More information about the Freeipa-users mailing list