‎Josh,

You will have problems if you go with below plan in my opinion. I used 
arrangements like the one you listed below when I used freeipa 2.2. This worked 
for me only when I had users hosted on freeipa. After upgrading to 3.3 for 
trust, it became very unreliable and had to point the ipa clients to ipa server 
for it to work reliably 

Especially if you plan to point them to AD, it wouldn't work as AD use dns for 
configuration just like ipa, do there will be conflict. 

William


We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan 
on establishing a trust with AD at some point during the POC. An overview of 
the current DNS design:

* FreeIPA runs integrated DNS (ie, ipa.domain.com)
* Servers in our environment (even once joined to IPA) continue to use our 
current non-IPA DNS infrastructure for name resolution
* Servers in our environment have hostnames in several other non-IPA domains 
(not ipa.domain.com)
* IPA DNS is configured to zone-transfer ipa.domain.com to our primary 
infrwastructure non-IPA DNS servers
* IPA is configured to forward all non ipa.domain.com requests to our primary 
infrastructure non-IPA DNS servers
* ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a 
slave on our primary non-IPA DNS servers
* IPA can resolve our Active Directory DNS (ad.domain.lan)
* Active Directory DNS can resolve IPA DNS (ipa.domain.com)

Is this a sensible design for DNS? In this configuration, IPA does not appear 
to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. 
This is presumably because the hosts themselves are in other domains (not 
ipa.domain.com) which are not controlled by IPA. Is this going to cause 
problems?

We have a requirement to keep all servers in our environment using our primary 
non-IPA DNS servers for resolution. It seemed logical to use IPA-integrated DNS 
just so IPA could manage the SRV/LDAP records automatically within the IPA 
zone. 

Any advice/tips/suggestions regarding this design would be greatly appreciated.

Thanks,

Josh




------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

End of Freeipa-users Digest, Vol 78, Issue 62
*********************************************

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to