[Freeipa-users] Trust with Active Directory fails
Guertin, David S.
guertin at middlebury.edu
Mon Feb 9 16:40:17 UTC 2015
> For Active Directory cross-forest trusts to work, we need following records
> to be in place:
>
> _ldap._tcp.<DOMAIN>
> _kerberos._udp.<DOMAIN>
> _kerberos._tcp.<DOMAIN>
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
> _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
> _ldap._tcp.dc._msdcs.<DOMAIN>
> _kerberos._udp.dc._msdcs.<DOMAIN>
> _kerberos._tcp.dc._msdcs.<DOMAIN>
I've checked with nslookup, and for the IPA subdomain csns.example.com, all the records are in place. For the parent example.com domain, though, the following four records are not found:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._udp.dc._msdcs.example.com
Do these need to be manually added to our DNS records? I've never had to manually add an SRV record before. If it matters, we are not using our domain controllers as our DNS servers -- we have separate, dedicated DNS servers in our environment.
Thanks,
David Guertin
More information about the Freeipa-users
mailing list