On to, 16 marras 2017, Justin Smith via FreeIPA-users wrote:
I was tasked with setting up FreeIPA & Active Directory and connecting them with a trust relationship. On FreeIPA 4.5, I created ipa.companydomain.com, set up an internal DNS zone for companydomain.com (which my company has used for both internal and external DNS - a bad practice, I know), and then tried to establish a trust relationship with Active Directory 2016. No dice. Alexander B. on here told me that AD does not expect that a forest can have a TLN which is superior to AD forest's root domain. A Microsoft article on AD best practices recommends registering a public domain and then using a subdomain of that for internal purposes. That sounds sensible. Here's what I envision: companyname.com (external sites + external DNS) -> corp.companyname.com (FreeIPA + intranet DNS) -> ad.corp.companyname.com (Active Directory domain) Does that sound sensible? Just wanted to run it by someone else so I don't end up surprised again.
It should work. What did not work in your case is that your corp.companyname.com IPA forest claimed companyname.com TLN belonging to it. I think this is what caused Active Directory to fail if my interpretation of MS-LSAD is right but it is still unclear. As to AD being a DNS sub-domain of IPA, I just had this tested today for some other reason. I set up IPA as superior DNS zone to AD (IPA: l.ipa.cool, AD: ad.l.ipa.cool) and everything just worked fine. AD was built on Windows Server 1709 but this shouldn't be a limiting factor. So far I have seen two specific issues with DNS domain arrangements when establishing trust between IPA and AD: -- AD domain defines UPN suffix covering DNS domains owned by IPA (AD: ad.example.com, IPA: example.com, AD has UPN suffix example.com). This does not work because AD claims TLN example.com to belong to their forest. Removing UPN suffix from AD makes things working, as well as moving IPA to ipa.example.com or a similar domain. -- AD domain has trust relationship to another AD forest which has either UPN or an AD domain overlapping with IPA domain(s). This is one of simpler cases and I actually added a logic to freeIPA 4.5 to handle some of DNS conflicts in multiple forest trusts. -- / Alexander Bokovoy _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org