On Wed, Dec 12, 2012 at 7:45 PM, Patrick Bakker <patr...@vanbelle.com> wrote:
> I just joined this list because I was curious about the recent discussion
> that Rashard Kelly had started about whether to use FreeIPA's integrated DNS
> or whether to disable DNS. I'm wondering about a very similar thing. I have
> a bunch of Linux servers that I'd like to start manage more centrally but we
> have Active Directory running the network right now.
> I looked at the bug attachment Petr Spacek recommended
> (https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but one
> thing I didn't see there is a discussion of whether to use an entirely
> different domain. As this is the direction I'm inclined to I'm curious if
> there is some good reason not to do it.
> Suppose I have a company ACME Widgets which is running acmewidgets.local
> under Active Directory. Does it simplify anything if I were to run all my
> Linux boxes under FreeIPA under an entirely different domain such as
> acme.local?

we have an acme.local AD domain as well. Our AD domain controllers
have integrated dns. The AD dns servers have an acme.tld zone as well
(voor a split dns view of our internet facing infrastructure).

What we have done is delegate a new subdomain of this acme.tld domain:
unix.acme.tld; the new subdomain is for IPA, in your AD dns server you
create a delagation of the acme.tld zone and create glue records for
the NS servers of the IPA unix.acme.tld. So every time you create a
replica of an IPA server you add a glue NS record to the delegation
record. This is a recommended best practice by Microsoft (see
http://support.microsoft.com/kb/909264, scroll down to section 'Other
factors', section 'best practices').

> Since I have completely separate DNS records I shouldn't need to worry about
> any DNS integration. Will this complicate a future trust between the AD
> domain acmewidgets.local and the FreeIPA domain acme.local if I want to do
> that at some point?

I do not think so. In typical unix kerberos trusts, a sub domain
implicitly trusts its parent. If you use separate zones you do not
have this risk.


Freeipa-users mailing list

Reply via email to