[Freeipa-users] integrated DNS vs external DNS

Martin Basti mbasti at redhat.com
Fri Feb 24 11:07:36 UTC 2017 

Adding freeipa-users back to loop


On 24.02.2017 12:02, Iulian Roman wrote:
> On Thu, Feb 23, 2017 at 4:21 PM, Martin Basti <mbasti at redhat.com 
> <mailto:mbasti at redhat.com>> wrote:
>
>     Hello,
>
>     comments inline
>
>
>     On 23.02.2017 15:07, Iulian Roman wrote:
>>     Despite reading the freeipa and Redhat IdM documentation
>>     regarding the DNS , it is still unclear to me if and when is
>>     integrated DNS mandatory .  We do have an environment with a
>>     pretty complex DNS setup , which is in place for years and there
>>     are no  plans to change it.
>
>     Integrated DNS is not mandatory at all. Without IPA DNS you have
>     to manage all IPA system records manually on external DNS
>
>>
>>     if i understood correctly from the documentation , integrated DNS
>>     is mandatory for configuring AD trust. is that correct ?
>     No, it is not needed for AD trust, you need to add additional DNS
>     records
>
>>
>>     Can the integrated DNS be configured as forward only ? Do the
>>     clients need to have IPA DNS as a resolver or they can just use
>>     existing DNS server ?
>     You don't need to install IPA DNS.
>
>     All records the IPA needs can be received from command `ipa
>     dns-update-system-records --dry-run` (IPA4.4+)
>
>
> there are some SRV records (_kerberos, _kpasswd, _ldap, _ntp) reported 
> by the above command which would not be easy to add them to existing 
> DNS (DNS updates are form based and they allow only A and CNAME 
> records). When and by whom are those records used and what is the 
> consequence of not adding them  into existing DNS ?
>

These are mainly used by ipa-clients (SSSD) with dynamic configuration. 
However you may configure client to use static configuration (without 
auto detection of working IPA servers) and it should work. However I'm 
not sure about DNS records required for AD Trust, who is the consumer, 
if only SSSD or not.


>
>>
>>
>>
>>
>
>     Martin
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170224/524873d8/attachment.htm>

More information about the Freeipa-users mailing list