[Freeipa-users] FreeIPA domains and sub-domains

Brian Candler b.candler at pobox.com
Thu Oct 27 07:59:06 UTC 2016 

On 26/10/2016 21:03, Ranbir wrote:
>
> If I have two networks, say A and B, and I want both to use the same 
> FreeIPA server, should I have one Freeipa domain for network A and a 
> sub-domain for network B, (domain.local and b.domain.local), or should 
> I create two top level domains (a.local and b.local)? What's the 
> recommended way to do this? 

Well, as a first point, I'd say never use a fake domain like ".local". 
Use a subdomain of some real domain that you already have - e.g. 
int.yourcompany.com.  You don't need to expose it to the Internet if you 
don't want to, and a fake domain can cause you problems down the line.

Secondly: do you really need two domains? DNS domains are used as way to 
delegate administrative responsibility. If the same person is managing 
the DNS for both sites, then you can just as well use one domain.  
Personally I like to embed the site in the hostname (e.g. 
lon-srv-1.int.yourcomany.com), because there are many circumstance in 
which only the shortened hostname "lon-srv-1" is seen, such as syslog 
messages and bash prompts. Hence it's good for the hostname itself to be 
unambiguous.

But if you prefer a different DNS domain for equipment in each site, 
that's not a problem either.  You can either create additional domains 
in FreeIPA (if you want to use the FreeIPA GUI/CLI to manage DNS 
records), or just have separate DNS domains managed elsewhere.  If 
FreeIPA is managing your DNS, you can get it to manage your reverse DNS 
too, by creating domains like 10.in-addr.arpa and 168.192.in-addr.arpa.

Taking this to extreme: you don't even need to use the same DNS domain 
for your IPA and your other equipment. It's fine to have:

ldap-1.ipa.yourdomain.com
host1.site1.yourdomain.com
host2.site2.yourdomain.com

even if all the hosts are joined into the same Kerberos realm 
IPA.YOURDOMAIN.COM (which sounds like is what you're doing).

This is quite a good approach if you already have existing DNS for 
site1.yourdomain.com and site2.yourdomain.com which you don't want to 
change. Having FreeIPA manage its own domain makes it easier to 
automatically locate the Kerberos servers for the realm 
IPA.YOURDOMAIN.COM.  But even that's not necessary if you are happy to 
create the necessary SRV records in the DNS yourself.

The final issue is IPA replicas in multiple sites. Personally I've put 
all my IPA replicas in the same DNS domain (ldap-1.ipa.yourcompany.com; 
ldap-2.ipa.yourcompany.com), and have never tried putting them in 
different DNS domains: e.g.

ipa-1.site1.yourdomain.com
ipa-2.site2.yourdomain.com

I'm not sure if you can do this, and I think it would be safer not to 
unless someone else on this list says it's OK.

Regards,

Brian.

More information about the Freeipa-users mailing list