[Freeipa-users] mixed DNS subnets for FreeIPA and M$ AD

Alexander Bokovoy abokovoy at redhat.com
Wed Dec 9 08:32:14 UTC 2015 

On Wed, 09 Dec 2015, Harald Dunkel wrote:
>On 12/08/2015 03:08 PM, Petr Spacek wrote:
>>
>> Does
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs
>>
>> and
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings
>>
>> answer your questions?
>>
>
>Not really. All these documents bring up strings like
>"ipa.example.com". Sometimes thats a DNS domain, sometimes
>its a kerberos realm (even though its in lower case letters).
>The assumption that DNS and realm name match is based upon a
>recommendation, i.e. you cannot rely upon that. (Not to
>mention that "example.com" and "ad.example.com" *are* unique.)
In Active Directory Kerberos realm is always a capitalized version of
the primary DNS domain occupied by this Active Directory domain.


>My point is: Currently I have a hierarchy between the DNS top
>level domain "example.com" and the windows DNS domain
>"ws.example.com". I do not have a hierarchy between the IM
>solutions for Unix and Windows (currently NIS and AD). Moving
>from NIS/bind to FreeIPA I would prefer to keep this setup. If
>this is not possible, then I can live with moving the IPA
>servers to "ipa.example.com" (DNS), but I cannot change the
>other DNS subnets. Changing existing host and domain names
>is *highly* expensive.
You can keep own arrangement if it doesn't conflict with your Active
Directory deployment's ownership of DNS zones.

You are saying ws.example.com is your AD DNS domain. Do you have
machines from example.com enrolled into AD? If there are machines from
DNS zone example.com in AD, you cannot have IPA deployed in DNS zone
example.com because AD will not allow trust between something that
claims to own DNS zone AD owns already.

It is simple as that. When you create AD deployment, it establishes
ownership over the DNS domain which is used to create the deployment.
Later, each enrolled computer's DNS domain is added to the list of owned
DNS domains. They all would belong to Active Directory and to have some
other Active Directory to claim ownership over it would be seen as a
conflict.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list