I was tasked with setting up FreeIPA & Active Directory and connecting them 
with a trust relationship. 

On FreeIPA 4.5, I created ipa.companydomain.com, set up an internal DNS zone 
for companydomain.com (which my company has used for both internal and external 
DNS - a bad practice, I know), and then tried to establish a trust relationship 
with Active Directory 2016. No dice. Alexander B. on here told me that AD does 
not expect that a forest can have a TLN which is superior to AD forest's root 

A Microsoft article on AD best practices recommends registering a public domain 
and then using a subdomain of that for internal purposes. That sounds sensible. 
Here's what I envision: 

companyname.com (external sites + external DNS) -> corp.companyname.com 
(FreeIPA + intranet DNS) -> ad.corp.companyname.com (Active Directory domain) 

Does that sound sensible? Just wanted to run it by someone else so I don't end 
up surprised again. 

Justin Smith 
IT Analyst 
MIM Software, Inc. 
[ https://www.mimsoftware.com/ | https://www.mimsoftware.com ] 
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to