[Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
Dmitri Pal
dpal at redhat.com
Mon Mar 30 16:00:18 UTC 2015
On 03/30/2015 11:12 AM, Srdjan Dutina wrote:
> Hi,
>
> I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch
> site where only AD read-only domain controller (RODC) exists.
> I'm aware that for initial establishing of trust I need access to
> writable domain controller so IPA can add trust to AD domains and trusts.
> But after initial setup, can FreeIPA-AD trust continue to function
> with IPA access to RODC only?
Should work.
> Will Kerberos authentication of AD users on IPA domain hosts work?
> In this case, FreeIPA server should have DNS forward zone configured
> with RODC as a forwarder to AD?
Can't help you here. Hopefully somone with DNS knowledge will chime but
they might be gone for the day.
> AD users have cached passwords on RODC, so authentication is possible
> in case of WAN link failure.
>
> Thanks!
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150330/d6228fe9/attachment.htm>
More information about the Freeipa-users
mailing list