On Wed, Dec 12, 2012 at 7:45 PM, Patrick Bakker <patr...@vanbelle.com> wrote:
> I just joined this list because I was curious about the recent discussion
> that Rashard Kelly had started about whether to use FreeIPA's integrated DNS
> or whether to disable DNS. I'm wondering about a very similar thing. I have
> a bunch of Linux servers that I'd like to start manage more centrally but we
> have Active Directory running the network right now.
> I looked at the bug attachment Petr Spacek recommended
> (https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but one
> thing I didn't see there is a discussion of whether to use an entirely
> different domain. As this is the direction I'm inclined to I'm curious if
> there is some good reason not to do it.
> Suppose I have a company ACME Widgets which is running acmewidgets.local
> under Active Directory. Does it simplify anything if I were to run all my
> Linux boxes under FreeIPA under an entirely different domain such as
we have an acme.local AD domain as well. Our AD domain controllers
have integrated dns. The AD dns servers have an acme.tld zone as well
(voor a split dns view of our internet facing infrastructure).
What we have done is delegate a new subdomain of this acme.tld domain:
unix.acme.tld; the new subdomain is for IPA, in your AD dns server you
create a delagation of the acme.tld zone and create glue records for
the NS servers of the IPA unix.acme.tld. So every time you create a
replica of an IPA server you add a glue NS record to the delegation
record. This is a recommended best practice by Microsoft (see
http://support.microsoft.com/kb/909264, scroll down to section 'Other
factors', section 'best practices').
> Since I have completely separate DNS records I shouldn't need to worry about
> any DNS integration. Will this complicate a future trust between the AD
> domain acmewidgets.local and the FreeIPA domain acme.local if I want to do
> that at some point?
I do not think so. In typical unix kerberos trusts, a sub domain
implicitly trusts its parent. If you use separate zones you do not
have this risk.
Freeipa-users mailing list