On Wed, 05 Nov 2014, William Muriithi wrote:
Peter,
Sorry, missed your response earlier.
On 4.11.2014 21:57, William Muriithi wrote:
Afternoon,
I have two AD and would like to retain that redundancy within IPA after
establishing trust relationship. How would one achieve that?
I have attempted the following:
[root@ipa3-yyz-int ~]# ipa dnszone-add example.local
--name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local
--admin-email='[email protected]' --force --forwarder=10.10.10.90
--forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.90
--ip-address=10.10.10.91
ipa: ERROR: invalid 'idnssoamname': Only one value is allowed
And got the following error above
Hello,
Could you explain what you are trying to achieve, please?
Was trying to make sure trust remain in place even if we loose one of the
master master AD
What version of FreeIPA do you use?
Version 3.3. Default on centos 7 with all updates applied. Not at office at the
moment so can't post rpm precise version
Commands 'ipa dnszone-*' manage DNS and are >not strictly related to AD trusts.
If you add DNS zone to one IPA server it is >automatically served by all other
servers. This applies to master & forward zones >too.
Ah. I see. I misunderstood the documentation then.
So, would ipa know there are two active directories in the network even
without being explicit on the configuration? I am guessing through DNS?
IPA uses DNS SRV records to discover AD DCs to talk to. You can read
more about the mechanism Windows uses to discover services via DNS here:
http://msdn.microsoft.com/en-us/library/cc717360.aspx
If you want redundancy on Active Directory side, make sure DNS zone for
Active Directory forest contains SRV records as explained in the MS-ADTS 6.3.6.1
and these records mention all required servers.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
