[Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 13 08:46:13 UTC 2015
On Tue, 13 Oct 2015, Petr Spacek wrote:
>On 12.10.2015 22:20, Alexander Bokovoy wrote:
>> On Mon, 12 Oct 2015, Andy Thompson wrote:
>>>
>>>
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>>>> bounces at redhat.com] On Behalf Of Hoffmaster, John
>>>> Sent: Monday, October 12, 2015 3:46 PM
>>>> To: freeipa-users at redhat.com
>>>> Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
>>>>
>>>> Hi,
>>>>
>>>> The company I work for uses AD 2008R2 DC to resolve requests for
>>>> Unix/Linux servers in various environments, under one domain
>>>> example.com, with the Realm EXAMPLE.COM ?
>>>>
>>>> Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as a
>>>> name server and forwarding all DNS requests to the windows DC's and still
>>>> keep everything in the example.com domain without creating a child domain
>>>> like ipa.example.com ?
>>>>
>>>> http://www.freeipa.org/page/Active_Directory_trust_setup
>>>>
>>>> Add for RedHat 7, use hostnamectl set-hostname ipa.example.com
>>>>
>>>> and
>>>> change the install IPA server command to
>>>>
>>>> ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com -
>>>> -realm=example.com --setup-dns --forwarder=AD_ipaddress
>>>>
>>>> Thanks,
>>>>
>>>
>>> No. The IPA domain has to be different than the AD domain.
>> This is true for any two separate Active Directory forests, and as IPA
>> represents itself as a separate AD forest for the trust relationship, it
>> is forced to follow Active Directory requirements.
>
>In other words, IPA itself needs one separate domain for SRV records and other
>stuff.
>
>Client machines may have hostnames in different domains as long as there is
>1:1 mapping between domain->REALM (AD/IPA).
Yep. Let's say explicitly:
- IPA machines cannot belong to any domain of AD forest -- in terms of
DNS this means they cannot have A/AAAA records in any AD domain's DNS
zone;
- IPA machines may have CNAMEs in an AD domain's DNS zone that point to
A/AAAA records in IPA DNS zones.
If you follow these two rules, you'll have single sign-on working
between IPA and AD through the cross-forest trust.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list