<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Pieter,</div><div>If you are comfortable with duplicating your external records internally, you CAN use this domain, however I've always preferred to have internal only and external only domains (we actually register domains externally that are internal use only). so for example, lautus.net is your external domain, for internal you could use a subdomain like ipa.lautus.net or lautus.tech.</div><div><br data-mce-bogus="1"></div><div>Split DNS isn't wrong, but it never makes things easier. your SRV records would only need to be duplicated if your users are @lautus.net and not @ipa.lautus.net or @ad.lautus.net.</div><div><br data-mce-bogus="1"></div><div>I hope this helps, this is all general dns infrastructure, so you could also checkout any other resources on building domain/forest infrastructure recommendations </div><div><br></div><div data-marker="__SIG_PRE__"><div>Good Luck,<br><br>Jacob</div></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Pieter Nagel" <pieter@lautus.net><br><b>To: </b>"freeipa-users" <freeipa-users@redhat.com><br><b>Sent: </b>Wednesday, December 7, 2016 8:33:41 AM<br><b>Subject: </b>Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.<br></div><div><br></div><div data-marker="__QUOTED_TEXT__"><div dir="ltr"><div class="gmail_extra">Thanks, that helps a lot.</div><div class="gmail_extra"><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;" data-mce-style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">Yes and no. What you see with "@ NS ..." is a glue record -- you are<br> supposed to have a glue record for IPA domain in the upstream domain,<br> this is how domain delegation works in DNS world.</blockquote></div><div class="gmail_extra"><br></div>Except what i saw was the other way around. The FreeIPA server has an NSrecord claiming that it is authoritative the parent domain, but its parent domain is hosted at dnsmadeeasy:</div><div class="gmail_extra"><br></div><div class="gmail_extra">~ dig @<a href="http://8.8.8.8" target="_blank">8.8.8.8</a> -t NS <a href="http://lautus.net" target="_blank">lautus.net</a><br></div><div class="gmail_extra"><a href="http://lautus.net" target="_blank">lautus.net</a>.<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>86399<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>IN<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>NS<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span><a href="http://ns15.dnsmadeeasy.com" target="_blank">ns15.dnsmadeeasy.com</a>.<br></div><div class="gmail_extra"><div class="gmail_extra">~ dig @<a href="http://8.8.8.8" target="_blank">8.8.8.8</a> -t NS <a href="http://ipa.lautus.net" target="_blank">ipa.lautus.net</a></div><div class="gmail_extra"><a href="http://ipa.lautus.net" target="_blank">ipa.lautus.net</a>.<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>86399<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>IN<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>NS<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span><a href="http://ipa-hetzner-cpt4-01.lautus.net" target="_blank">ipa-hetzner-cpt4-01.lautus.net</a>.</div><br><div>But as far as the FreeIPA DNS is concerned, it is authoritative for everything:</div><br><div>~ dig @<a href="http://ipa-hetzner-cpt4-01.lautus.net" target="_blank">ipa-hetzner-cpt4-01.lautus.net</a> -t NS <a href="http://lautus.net" target="_blank">lautus.net</a></div><div><div><a href="http://lautus.net" target="_blank">lautus.net</a>.<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>86400<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>IN<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>NS<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span><a href="http://ipa-hetzner-cpt4-01.lautus.net" target="_blank">ipa-hetzner-cpt4-01.lautus.net</a>.</div></div><div><div>~ dig @<a href="http://ipa-hetzner-cpt4-01.lautus.net" target="_blank">ipa-hetzner-cpt4-01.lautus.net</a> -t NS <a href="http://ipa.lautus.net" target="_blank">ipa.lautus.net</a></div><div><a href="http://ipa.lautus.net" target="_blank">ipa.lautus.net</a>.<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>86400<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>IN<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span>NS<span class="gmail-Apple-tab-span" style="white-space: pre;" data-mce-style="white-space: pre;"> </span><a href="http://ipa-hetzner-cpt4-01.lautus.net" target="_blank">ipa-hetzner-cpt4-01.lautus.net</a>.</div></div><br><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">Pieter Nagel<div>Lautus Solutions (Pty) Ltd</div><div><div style="font-size: small;" data-mce-style="font-size: small;">Building 27, The Woodlands, 20 Woodlands Drive, Woodmead, Gauteng</div></div><div>0832587540</div></div></div></div></div> </div></div> <br>-- <br>Manage your subscription for the Freeipa-users mailing list:<br>https://www.redhat.com/mailman/listinfo/freeipa-users<br>Go to http://freeipa.org for more info on the project<br></div></div></body></html>