> On 7 Feb 2018, at 21:51, Andrew Meyer via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org 
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
> We are trying to deploy FreeIPA in our environment, this will be a mix of 
> local servers and server to manage auth in EC2.  We have a vpn tunnel setup 
> and are able to communicate across it.  Ina Amazon Linux 2 instance I was 
> able to get FreeIPA installed as a client and am now trying to promote it to 
> a replica.  However I am getting the following error:
> [ec2-user@freeipa-host ~]$ sudo ipa-replica-install --setup-ca 
> --ssh-trust-dns --mkhomedir --setup-kra
> Password for ad...@domain.net <mailto:ad...@domain.net>:
> ipa         : ERROR    Reverse DNS resolution of address 
> (infra-freeipa1-aws.gatewayblend.net 
> <http://infra-freeipa1-aws.gatewayblend.net/>) failed. Clients may not 
> function properly. Please check your DNS setup. (Note that this check queries 
> IPA DNS directly and ignores /etc/hosts.)
> Doing some digging on Google I found this 
> https://yyhh.org/blog/2017/12/freeipa-aws-ec2 
> <https://yyhh.org/blog/2017/12/freeipa-aws-ec2>.  
> In this instance DNS was NOT setup on the FreeIPA machine in AWS and fqdn 
> were setup in /etc/hosts and /etc/hostname.  
> 1) is the the preferred method?
> 2) Could I still install DNS on the server in AWS to ONLY manage an internal 
> zone?

Hello Andrew!
In this case, the note in your error message is important: There is no reverse 
address for in FreeIPA. You’ll need to access it and add the 
reverse zone in Network Services -> DNS and add a PTR entry for your new 
replica (

After this you shouldn’t have problems with setting up replicas. If you use a 
VPN, you may have to set up a split-horizon DNS, so that your replication 
traffic will go through the VPN.

Aljaž Srebrnič a.k.a g5pw
My public key:  https://g5pw.me/key <https://g5pw.me/key>
Key fingerprint = 2109 8131 60CA 01AF 75EC  01BF E140 E1EE A54E E677

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to