On to, 16 marras 2017, Justin Smith via FreeIPA-users wrote:

I was tasked with setting up FreeIPA & Active Directory and connecting
them with a trust relationship.

On FreeIPA 4.5, I created ipa.companydomain.com, set up an internal DNS
zone for companydomain.com (which my company has used for both internal
and external DNS - a bad practice, I know), and then tried to establish
a trust relationship with Active Directory 2016. No dice. Alexander B.
on here told me that AD does not expect that a forest can have a TLN
which is superior to AD forest's root domain.

A Microsoft article on AD best practices recommends registering a
public domain and then using a subdomain of that for internal purposes.
That sounds sensible. Here's what I envision:

companyname.com (external sites + external DNS) -> corp.companyname.com (FreeIPA + 
intranet DNS) -> ad.corp.companyname.com (Active Directory domain)

Does that sound sensible? Just wanted to run it by someone else so I
don't end up surprised again.
It should work. What did not work in your case is that your
corp.companyname.com IPA forest claimed companyname.com TLN belonging to
it. I think this is what caused Active Directory to fail if my
interpretation of MS-LSAD is right but it is still unclear.

As to AD being a DNS sub-domain of IPA, I just had this tested today for
some other reason. I set up IPA as superior DNS zone to AD (IPA:
l.ipa.cool, AD: ad.l.ipa.cool) and everything just worked fine. AD was
built on Windows Server 1709 but this shouldn't be a limiting factor.

So far I have seen two specific issues with DNS domain arrangements when
establishing trust between IPA and AD:

-- AD domain defines UPN suffix covering DNS domains owned by IPA (AD:
ad.example.com, IPA: example.com, AD has UPN suffix example.com). This
does not work because AD claims TLN example.com to belong to their
forest. Removing UPN suffix from AD makes things working, as well as
moving IPA to ipa.example.com or a similar domain.

-- AD domain has trust relationship to another AD forest which has
either UPN or an AD domain overlapping with IPA domain(s). This is one
of simpler cases and I actually added a logic to freeIPA 4.5 to handle
some of DNS conflicts in multiple forest trusts.

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to