I spent a lot of time on this topic. In the end we decided to do the
Microsoft domain: melb.example.com
Linux Domain: group.example.com
The linux DNS server is a slave to the Windows AD DNS servers & a
master DNS for "group.example.com".
All PCs point to our Linux DNS server which is hosting a slave copy of
the melb.example.com. Amazingly this all works fine.
note: at the moment at least, we are keeping two separate user lists. I
had sync working at one stage, but couldn't get the group memberships to
come over correctly when going from Linux --> AD.
On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote:
> I would not expect that there would be any problem with AD and IPA coexisting
> when the realm names are different, but I have heard reports that there are
> problems, especially when Linux clients are configured to use AD for DNS.
> Trying to figure out what the problem is. I understand your delegated dns
> setup. What if the customer must use AD for all DNS?
> On Feb 23, 2012, at 3:28 PM, Steven Jones <steven.jo...@vuw.ac.nz> wrote:
> > Hi,
> > Subnet? IP addressing will not matter its DNS as the main issue, for me
> > anyway., I cant see IP / sunbets matter?
> > So, yes if you have AD as the same realm as IPA then only one will work
> > well from what I can read, IPA has to have its neat
> > auto-discovery/balancing features turned off, or at least hobbled.
> > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and
> > then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD
> > delegating DNS to the IPA servers. This way the unix domain is "independent
> > but referenced...
> > eg I find the auto-discovery is working fine...
> > So windows clients talk to AD directly, linux clients talk to IPA directly,
> > if the linux clients need to DNS the IPA servers get that for them from
> > AD.....
> > I have some visio diagrams of how I have done it if you want them....it may
> > not be the best way? but with so little architecture info available its all
> > I have.
> > regards
> > Steven Jones
> > Technical Specialist - Linux RHCE
> > Victoria University, Wellington, NZ
> > 0064 4 463 6272
> > ________________________________
> > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
> > on behalf of Brian Cook [bc...@redhat.com]
> > Sent: Friday, 24 February 2012 9:59 a.m.
> > To: email@example.com
> > Subject: [Freeipa-users] need info on AD / IPA coexistence
> > I have heard that we currently have problems with IPA and AD existing on
> > the same subnet, possibly only when using AD as DNS servers, possibly even
> > when the realm names are different. I have not been able to find good
> > concrete information or BZ's regarding this. I am looking for
> > clarification as to what problems exist, why, is it a bug or just a fact,
> > is it our bug our is it a MS-AD issue, etc. I need to understand what is
> > going on as I have customers who are looking to deploy mixed IPA / AD
> > environments. Any help or information would be appreciated.
> > Thanks,
> > Brian
> > ---
> > Brian Cook
> > Solutions Architect, West Region
> > Red Hat, Inc.
> > 407-212-7079
> > bc...@redhat.com<mailto:bc...@redhat.com>
> Freeipa-users mailing list
Freeipa-users mailing list