[Freeipa-users] DNS Design for FreeIPA4

Petr Spacek pspacek at redhat.com
Fri Jan 16 09:33:00 UTC 2015 

On 15.1.2015 20:51, Baird, Josh wrote:
> Hi,
> 
> We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment.  We plan on establishing a trust with AD at some point during the POC.  An overview of the current DNS design:
> 
> * FreeIPA runs integrated DNS (ie, ipa.domain.com)
> * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution
> * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com)
> * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrastructure non-IPA DNS servers
> * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers
> * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers
> * IPA can resolve our Active Directory DNS (ad.domain.lan)
> * Active Directory DNS can resolve IPA DNS (ipa.domain.com)
> 
> Is this a sensible design for DNS?  In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA.  This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA.  Is this going to cause problems?
It should work as long as AD and IPA controlled domains do not overlap. You
have to put AD-directly-joined machines to one set of DNS domains and
IPA-joined-machines to distinct set of DNS domains.

This is a requirement because you have to have unambiguous DNS domain ->
Kerberos REALM mapping.

> We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution.  It seemed logical to use IPA-integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone.
This is definitely a good idea.

> Any advice/tips/suggestions regarding this design would be greatly appreciated.
It should work just fine if you respect the limitation mentioned above. Let us
know if you encounter any problems so we can help you with debugging.

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list