[Freeipa-users] DNS Design for FreeIPA4

Fri Jan 16 03:08:16 UTC 2015

Hi,

KISS

keep it simple and stupid.

What we do is,

AD domain is domain.com and does all its own DNS and Kerberos, all windows machines point at it etc

IPA domain is ipa.domain.com and all IPA's and indeed all Linux servers point at IPA for everything incl NTP.

IPA servers use the AD servers as forwarders to get WWW DNS answers etc.

regards

Steven 

________________________________________
From: freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com> on behalf of Baird, Josh <jbaird at follett.com>
Sent: Friday, 16 January 2015 3:30 p.m.
To: William Muriithi; freeipa-users at redhat.com; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] DNS Design for FreeIPA4

William,

I don't understand why I would have problems if AD DNS can resolve IPA dns, and IPA DNS can resolve AD DNS?

The DNS servers that my servers are using can resolve both AD and IPA.

Thanks,

Josh

> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of William Muriithi
> Sent: Thursday, January 15, 2015 8:08 PM
> To: freeipa-users at redhat.com; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] DNS Design for FreeIPA4
>
> ‎Josh,
>
> You will have problems if you go with below plan in my opinion. I used
> arrangements like the one you listed below when I used freeipa 2.2. This
> worked for me only when I had users hosted on freeipa. After upgrading to
> 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa
> server for it to work reliably
>
> Especially if you plan to point them to AD, it wouldn't work as AD use dns for
> configuration just like ipa, do there will be conflict.
>
> William
>
>
> We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We
> plan on establishing a trust with AD at some point during the POC. An
> overview of the current DNS design:
>
> * FreeIPA runs integrated DNS (ie, ipa.domain.com)
> * Servers in our environment (even once joined to IPA) continue to use our
> current non-IPA DNS infrastructure for name resolution
> * Servers in our environment have hostnames in several other non-IPA
> domains (not ipa.domain.com)
> * IPA DNS is configured to zone-transfer ipa.domain.com to our primary
> infrwastructure non-IPA DNS servers
> * IPA is configured to forward all non ipa.domain.com requests to our
> primary infrastructure non-IPA DNS servers
> * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it
> is a slave on our primary non-IPA DNS servers
> * IPA can resolve our Active Directory DNS (ad.domain.lan)
> * Active Directory DNS can resolve IPA DNS (ipa.domain.com)
>
> Is this a sensible design for DNS? In this configuration, IPA does not appear
> to be creating DNS records in ipa.domain.com for the hosts that we add to
> IPA. This is presumably because the hosts themselves are in other domains
> (not ipa.domain.com) which are not controlled by IPA. Is this going to cause
> problems?
>
> We have a requirement to keep all servers in our environment using our
> primary non-IPA DNS servers for resolution. It seemed logical to use IPA-
> integrated DNS just so IPA could manage the SRV/LDAP records
> automatically within the IPA zone.
>
> Any advice/tips/suggestions regarding this design would be greatly
> appreciated.
>
> Thanks,
>
> Josh
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> End of Freeipa-users Digest, Vol 78, Issue 62
> *********************************************
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project