[Freeipa-users] Need help with AD 2012 and FreeIPA 4.2 sync
Alexander Bokovoy
abokovoy at redhat.com
Sun Mar 6 17:27:55 UTC 2016
On Fri, 04 Mar 2016, Csaba Patyi wrote:
>Hi Everybody,
>
>We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0
>(CentOS 7) and we run into an issue.
>
>We are following this documentation:
>https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory.html
>
>I know it is a little bit old and now the preferred method is trust and not
>sync. But if my understanding is correct in trust you has to use 2
>different domain like company.net <--> company.com and can not be user as
>company.com <--> company.com
Youre understanding is not fully correct.
You cannot have IPA machines in the same DNS zone as Active Directory.
You can have IPA machines in a subdomain or a completely separate zone.
If you need to present IPA machines as part of Active Directory DNS
zone, you can use CNAME trick where machines are actually in
.ipa.company.com (A/AAAA in that DNS zone) and have a CNAME in
.company.com that points to the true name in .ipa.company.com.
Again, the reason for this is due to the fact that FreeIPA presents
itself as a separate Active Directory forest and it is impossible to
have two Active Directory forests to be in the same DNS zone. This is
Active Directory limitation, not FreeIPA.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list