[Freeipa-users] FreeIPA domains and sub-domains

Thu Oct 27 08:30:10 UTC 2016

On to, 27 loka 2016, Brian Candler wrote:
>On 26/10/2016 21:03, Ranbir wrote:
>>
>>If I have two networks, say A and B, and I want both to use the same 
>>FreeIPA server, should I have one Freeipa domain for network A and a 
>>sub-domain for network B, (domain.local and b.domain.local), or 
>>should I create two top level domains (a.local and b.local)? What's 
>>the recommended way to do this?
>
>Well, as a first point, I'd say never use a fake domain like ".local". 
>Use a subdomain of some real domain that you already have - e.g. 
>int.yourcompany.com.  You don't need to expose it to the Internet if 
>you don't want to, and a fake domain can cause you problems down the 
>line.
>
>Secondly: do you really need two domains? DNS domains are used as way 
>to delegate administrative responsibility. If the same person is 
>managing the DNS for both sites, then you can just as well use one 
>domain.  Personally I like to embed the site in the hostname (e.g. 
>lon-srv-1.int.yourcomany.com), because there are many circumstance in 
>which only the shortened hostname "lon-srv-1" is seen, such as syslog 
>messages and bash prompts. Hence it's good for the hostname itself to 
>be unambiguous.
>
>But if you prefer a different DNS domain for equipment in each site, 
>that's not a problem either.  You can either create additional domains 
>in FreeIPA (if you want to use the FreeIPA GUI/CLI to manage DNS 
>records), or just have separate DNS domains managed elsewhere.  If 
>FreeIPA is managing your DNS, you can get it to manage your reverse 
>DNS too, by creating domains like 10.in-addr.arpa and 
>168.192.in-addr.arpa.
>
>Taking this to extreme: you don't even need to use the same DNS domain 
>for your IPA and your other equipment. It's fine to have:
>
>ldap-1.ipa.yourdomain.com
>host1.site1.yourdomain.com
>host2.site2.yourdomain.com
>
>even if all the hosts are joined into the same Kerberos realm 
>IPA.YOURDOMAIN.COM (which sounds like is what you're doing).
>
>This is quite a good approach if you already have existing DNS for 
>site1.yourdomain.com and site2.yourdomain.com which you don't want to 
>change. Having FreeIPA manage its own domain makes it easier to 
>automatically locate the Kerberos servers for the realm 
>IPA.YOURDOMAIN.COM.  But even that's not necessary if you are happy to 
>create the necessary SRV records in the DNS yourself.
>
>The final issue is IPA replicas in multiple sites. Personally I've put 
>all my IPA replicas in the same DNS domain 
>(ldap-1.ipa.yourcompany.com; ldap-2.ipa.yourcompany.com), and have 
>never tried putting them in different DNS domains: e.g.
>
>ipa-1.site1.yourdomain.com
>ipa-2.site2.yourdomain.com
>
>I'm not sure if you can do this, and I think it would be safer not to 
>unless someone else on this list says it's OK.
Yes, you can do that, there is no issue at all.
-- 
/ Alexander Bokovoy