Unless I am way off here - what I need to do is set the replica to NOT be DNS, but then standup another replica inside the same "location" with DNS and make sure the hosts in that location talk to it, and in the inside location, they talk to the other host. The point is, and I think this is what I missed,, not ALL replicas have to have DNS setup. And that resolves the problem with the 2 talking that are connected across the NAT.

Please tell me I am on the right path?


I think I see the problem - I am really trying to do Split DNS in this configuration. So I need to keep DNS working, but somehow there must be a way to have the replica on the outside of the firewall understand that there is split DNS involved. I am having an issue figuring out if FreeIPA DNS can do that? Any pointers to some docs?


Here is an odd problem (I think).

I am using IPA in one environment, and want to set up a replica in another environment through natted connections. I can setup the client to the NAT server, but here is the tricky part - IPA is also DNS. So if I try to bring the DNS setup over with --

ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca

It fails, because when it tries to lookup the master on the other side of the NAT FW, of course it resolves incorrectly. The first failure is conn-check, so even if I --skip-conncheck, it still fails since DNS will not resolve.



