[Freeipa-users] FreeIPA domains and sub-domains
Alexander Bokovoy
abokovoy at redhat.com
Thu Oct 27 08:30:10 UTC 2016
On to, 27 loka 2016, Brian Candler wrote:
>On 26/10/2016 21:03, Ranbir wrote:
>>
>>If I have two networks, say A and B, and I want both to use the same
>>FreeIPA server, should I have one Freeipa domain for network A and a
>>sub-domain for network B, (domain.local and b.domain.local), or
>>should I create two top level domains (a.local and b.local)? What's
>>the recommended way to do this?
>
>Well, as a first point, I'd say never use a fake domain like ".local".
>Use a subdomain of some real domain that you already have - e.g.
>int.yourcompany.com. You don't need to expose it to the Internet if
>you don't want to, and a fake domain can cause you problems down the
>line.
>
>Secondly: do you really need two domains? DNS domains are used as way
>to delegate administrative responsibility. If the same person is
>managing the DNS for both sites, then you can just as well use one
>domain. Personally I like to embed the site in the hostname (e.g.
>lon-srv-1.int.yourcomany.com), because there are many circumstance in
>which only the shortened hostname "lon-srv-1" is seen, such as syslog
>messages and bash prompts. Hence it's good for the hostname itself to
>be unambiguous.
>
>But if you prefer a different DNS domain for equipment in each site,
>that's not a problem either. You can either create additional domains
>in FreeIPA (if you want to use the FreeIPA GUI/CLI to manage DNS
>records), or just have separate DNS domains managed elsewhere. If
>FreeIPA is managing your DNS, you can get it to manage your reverse
>DNS too, by creating domains like 10.in-addr.arpa and
>168.192.in-addr.arpa.
>
>Taking this to extreme: you don't even need to use the same DNS domain
>for your IPA and your other equipment. It's fine to have:
>
>ldap-1.ipa.yourdomain.com
>host1.site1.yourdomain.com
>host2.site2.yourdomain.com
>
>even if all the hosts are joined into the same Kerberos realm
>IPA.YOURDOMAIN.COM (which sounds like is what you're doing).
>
>This is quite a good approach if you already have existing DNS for
>site1.yourdomain.com and site2.yourdomain.com which you don't want to
>change. Having FreeIPA manage its own domain makes it easier to
>automatically locate the Kerberos servers for the realm
>IPA.YOURDOMAIN.COM. But even that's not necessary if you are happy to
>create the necessary SRV records in the DNS yourself.
>
>The final issue is IPA replicas in multiple sites. Personally I've put
>all my IPA replicas in the same DNS domain
>(ldap-1.ipa.yourcompany.com; ldap-2.ipa.yourcompany.com), and have
>never tried putting them in different DNS domains: e.g.
>
>ipa-1.site1.yourdomain.com
>ipa-2.site2.yourdomain.com
>
>I'm not sure if you can do this, and I think it would be safer not to
>unless someone else on this list says it's OK.
Yes, you can do that, there is no issue at all.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list