Hi Brian,

I spent a lot of time on this topic. In the end we decided to do the
following;

Microsoft domain: melb.example.com
Linux Domain: group.example.com

The linux DNS server is a slave to the Windows AD DNS servers & a
master DNS for "group.example.com".

All PCs point to our Linux DNS server which is hosting a slave copy of
the melb.example.com. Amazingly this all works fine. 

note: at the moment at least, we are keeping two separate user lists. I
had sync working at one stage, but couldn't get the group memberships to
come over correctly when going from Linux --> AD. 

cya

Craig

On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote:
> I would not expect that there would be any problem with AD and IPA coexisting 
> when the realm names are different, but I have heard reports that there are 
> problems, especially when Linux clients are configured to use AD for DNS.  
> Trying to figure out what the problem is.  I understand your delegated dns 
> setup.  What if the customer must use AD for all DNS?  
> 
> -Brian
> 
> On Feb 23, 2012, at 3:28 PM, Steven Jones <steven.jo...@vuw.ac.nz> wrote:
> 
> > Hi,
> > 
> > Subnet? IP addressing will not matter its DNS as the main issue, for me 
> > anyway.,  I cant see IP / sunbets matter?
> > 
> > So, yes if you have AD as the same realm as IPA then only one will work 
> > well from what I can read, IPA has to have its neat 
> > auto-discovery/balancing features turned off, or at least hobbled.
> > 
> > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and 
> > then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD 
> > delegating DNS to the IPA servers. This way the unix domain is "independent 
> > but referenced...
> > 
> > eg I find the auto-discovery is working fine...
> > 
> > So windows clients talk to AD directly, linux clients talk to IPA directly, 
> > if the linux clients need to  DNS the IPA servers get that for them from 
> > AD.....
> > 
> > I have some visio diagrams of how I have done it if you want them....it may 
> > not be the best way? but with so little architecture info available its all 
> > I have.
> > 
> > 
> > regards
> > 
> > Steven Jones
> > 
> > Technical Specialist - Linux RHCE
> > 
> > Victoria University, Wellington, NZ
> > 
> > 0064 4 463 6272
> > 
> > ________________________________
> > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] 
> > on behalf of Brian Cook [bc...@redhat.com]
> > Sent: Friday, 24 February 2012 9:59 a.m.
> > To: freeipa-users@redhat.com
> > Subject: [Freeipa-users] need info on AD / IPA coexistence
> > 
> > I have heard that we currently have problems with IPA and AD existing on 
> > the same subnet, possibly only when using AD as DNS servers, possibly even 
> > when the realm names are different.  I have not been able to find good 
> > concrete information or BZ's regarding this.  I am looking for 
> > clarification as to what problems exist, why, is it a bug or just a fact, 
> > is it our bug our is it a MS-AD issue, etc.  I need to understand what is 
> > going on as I have customers who are looking to deploy mixed IPA / AD 
> > environments.  Any help or information would be appreciated.
> > 
> > Thanks,
> > Brian
> > 
> > ---
> > Brian Cook
> > Solutions Architect, West Region
> > Red Hat, Inc.
> > 407-212-7079
> > bc...@redhat.com<mailto:bc...@redhat.com>
> > 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to