Re: [Freeipa-users] Disadantages of using external DNS

Wed, 12 Dec 2012 09:44:43 -0800 

On 12/12/2012 06:09 PM, rashard.ke...@sita.aero wrote:

What are the disadvantages of using an external DNS source?
You have to create and update all records by hand. Generally, it will work if you are careful. Also, you will get quest after adding a new IPA replica, potentially after adding a host to IPA realm and so on. 


> My three options

are install DNS services on the IPA server,

That is the best way. It will provide seamless integration for you. All 
records will be created and updated as necessary.




use the local Active Directory
DNS, or connect to a linux based DNS appliance.

Generally, they are external DNS servers. I'm not aware of any big differences 
(from IPA point of view).



> Is it common not to use DNS at

all if so what are the drawbacks?

You can run IPA without any DNS, but it will be pain. You have to configure 
each host with address of KDC etc. Generally, you have to statically 
configurure /etc/krb5.conf, /etc/sssd* and others.



We don't support that (in other ways than recommendations). Also, 
configuration without DNS will not work with AD trusts.



My goal is consolidating all local administration of users to a centralized
place in our environment. I have been reading the documentation and the
mailing list archives, forgive me If I have overlooked this answer.

I would recommend to add a sub-domain for IPA and let IPA to manage this sub 
domain.



If you are in AD shop "example.com", then you can create sub-domain 
"ipa.example.com" and delegate (via NS+A records) this ipa sub-domain from AD 
server to IPA server with integrated DNS.


Some very basic info can be found in
https://fedorahosted.org/freeipa/ticket/3268
specifically
https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2

Let us know if you need any assistance.



Thanks,
Rashard




This document is strictly confidential and intended only for use by the
addressee unless otherwise stated. If you are not the intended recipient,
please notify the sender immediately and delete it from your system.

Good joke (on public mailing list) :-D

--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to