[Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
Petr Spacek
pspacek at redhat.com
Tue Oct 13 07:39:53 UTC 2015
On 12.10.2015 22:20, Alexander Bokovoy wrote:
> On Mon, 12 Oct 2015, Andy Thompson wrote:
>>
>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>>> bounces at redhat.com] On Behalf Of Hoffmaster, John
>>> Sent: Monday, October 12, 2015 3:46 PM
>>> To: freeipa-users at redhat.com
>>> Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
>>>
>>> Hi,
>>>
>>> The company I work for uses AD 2008R2 DC to resolve requests for
>>> Unix/Linux servers in various environments, under one domain
>>> example.com, with the Realm EXAMPLE.COM ?
>>>
>>> Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as a
>>> name server and forwarding all DNS requests to the windows DC's and still
>>> keep everything in the example.com domain without creating a child domain
>>> like ipa.example.com ?
>>>
>>> http://www.freeipa.org/page/Active_Directory_trust_setup
>>>
>>> Add for RedHat 7, use hostnamectl set-hostname ipa.example.com
>>>
>>> and
>>> change the install IPA server command to
>>>
>>> ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com -
>>> -realm=example.com --setup-dns --forwarder=AD_ipaddress
>>>
>>> Thanks,
>>>
>>
>> No. The IPA domain has to be different than the AD domain.
> This is true for any two separate Active Directory forests, and as IPA
> represents itself as a separate AD forest for the trust relationship, it
> is forced to follow Active Directory requirements.
In other words, IPA itself needs one separate domain for SRV records and other
stuff.
Client machines may have hostnames in different domains as long as there is
1:1 mapping between domain->REALM (AD/IPA).
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list