On Wed, 05 Nov 2014, William Muriithi wrote:
‎Peter,
‎ 
Sorry, missed your response earlier.
On 4.11.2014 21:57, William Muriithi wrote:
Afternoon,

I have two AD and would like to retain that redundancy within IPA after
establishing trust relationship. How would one achieve that?

I have attempted the following:


[root@ipa3-yyz-int ~]# ipa dnszone-add example.local
--name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local
--admin-email='systemad...@example.com' --force --forwarder=10.10.10.90
--forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.90
--ip-address=10.10.10.91
ipa: ERROR: invalid 'idnssoamname': Only one value is allowed

And got the following error above


Hello,

Could you explain what you are trying to achieve, please?

Was trying to make sure trust remain in place even if we loose one of the 
master master AD

What version of FreeIPA do you use?

Version 3.3. Default on centos 7 with all updates applied. Not at office at the 
moment so can't post rpm precise version 

Commands 'ipa dnszone-*' manage DNS and are >not strictly related to AD trusts.
If you add DNS zone to one IPA server it is >automatically served by all other
servers. This applies to master & forward zones >too.

Ah. I see. I misunderstood the documentation then.

So, would ipa know there are two active directories in the network even
without being explicit on the configuration? I am guessing through DNS?
IPA uses DNS SRV records to discover AD DCs to talk to. You can read
more about the mechanism Windows uses to discover services via DNS here:
http://msdn.microsoft.com/en-us/library/cc717360.aspx

If you want redundancy on Active Directory side, make sure DNS zone for
Active Directory forest contains SRV records as explained in the MS-ADTS 6.3.6.1
and these records mention all required servers.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to