I'm sure my doubts from from my lack of experience with IM at this time. Perhaps with a bit more driving time I'll come to appreciate the package a bit more.
Thanks again for your patience and explainations. Al -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday, October 06, 2014 9:39 AM To: firstname.lastname@example.org Subject: Re: [Freeipa-users] FW: FW: FW: named and IpA On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: > Thanks for the additional data. It starts to make sense now, but I'm > wondering if that could possibly be a weakness > in the IdM model ? Well, define a weakness :-) Whole IPA server is built around LDAP database so LDAP is single point of failure *for one particular* IPA server. IPA offers a solution called "replicas". You can have multiple IPA servers with (two-way) replicated LDAP database so outage on N-1 servers will not affect your clients as long as clients are able to fail-over to the last functional server. I hope I understood you question :-) Petr^2 Spacek > > Al > > -----Original Message----- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek > Sent: Monday, October 06, 2014 7:35 AM > To: email@example.com > Subject: Re: [Freeipa-users] FW: FW: named and IpA > > On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) > wrote: >> Thanks very much for the additional input. The configuration as you >> describe it is correct with a minor detail >> correction that I didn't notice earlier. 18.104.22.168 is the master for >> the osn.cxo.cpqcorp.net zone while >> 22.214.171.124 is a slave for that zone. But as you have said, both are >> authoritative for that zone. >> >> I won't belabor the point and will move on to try a different configuration >> as my ultimate goal here is to create >> trust domains between a linux and an AD domain. To that end I will >> reconfigure the current IdM server such that >> it is in a different subnet and domain. >> >> I just find it odd that when ipa is shutdown and named is restarted >> on the system designated as the IdM server, that dns works and the >> forwarders are not ignored as they are when ipa is running. > > The reason is that authoritative data are stored in LDAP but global > forwarding configuration (specified on ipa-server-install command line) is > stored in /etc/named.conf. > > LDAP server is not reachable when IPA is down so BIND cannot see zones in > LDAP and "global" forwarding in named.conf causes that it accidentally works > for you. > > Forwarding is evil :-) > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project