hello,

I want to do a one-way AD trust on a multidatacenter environment. This is the 
topology (2 AD servers and 2 IPA servers on each location replicated each 
other):

DATACENTER1:
AD1dc1.ad.example.com
AD2dc1.ad.example.com
IPA1dc1.ipa.example.com
IPA2dc1.ipa.example.com


DATACENTER2:
AD1dc2.ad.example.com
AD2dc2.ad.example.com
IPA1dc2.ipa.example.com
IPA2dc2.ipa.example.com

The problem I see is that I execute "ipa trust-add" it will connect to any of 
the 4 AD servers as it searchs for the SRV records, and I want (I think is the 
best option) IPA servers to connect just the AD servers on their datacenter:
_SERVICE._PROTOCOL[.dc._msdcs]

and I want to use SRV records with sites like:
# dig +short -t SRV _kerberos._udp.dc1-Site._sites.ad.example.com.
0 100 88 AD1dc1.ad.example.com.
0 100 88 AD2dc1.ad.example.com.

# dig +short -t SRV _kerberos._udp.dc2-Site._sites.ad.example.com.
0 100 88 AD1dc2.ad.example.com.
0 100 88 AD2dc2.ad.example.com.

I was wondering creating the trust using the DNS of the site (only resolves IPs 
of the AD servers on this datacenter), for example from IPA1dc1.ipa.example.com:
ipa trust-add --type=ad ad.example.com --server=dc1.ad.example.com 
--trust-secret

But the problem here is: How I configure IPA servers on Datacenter2 to connect 
to AD servers on datacenter2 (DNS: dc2.ad.example.com)?

Thanks.

/Miguel Soler
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to