[Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
Petr Spacek
pspacek at redhat.com
Tue Mar 31 06:55:15 UTC 2015
On 30.3.2015 18:00, Dmitri Pal wrote:
> On 03/30/2015 11:12 AM, Srdjan Dutina wrote:
>> Hi,
>>
>> I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site
>> where only AD read-only domain controller (RODC) exists.
>> I'm aware that for initial establishing of trust I need access to writable
>> domain controller so IPA can add trust to AD domains and trusts.
>> But after initial setup, can FreeIPA-AD trust continue to function with IPA
>> access to RODC only?
>
> Should work.
>
>> Will Kerberos authentication of AD users on IPA domain hosts work?
>> In this case, FreeIPA server should have DNS forward zone configured with
>> RODC as a forwarder to AD?
It should not matter as long as the forwarder knows how to resolve all the DNS
names. General advice is to pick nearest server if you have access to it and
add couple other servers to enable fail-over (if the nearest server fails for
some reason).
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list