On 15.1.2015 20:51, Baird, Josh wrote: > Hi, > > We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We > plan on establishing a trust with AD at some point during the POC. An > overview of the current DNS design: > > * FreeIPA runs integrated DNS (ie, ipa.domain.com) > * Servers in our environment (even once joined to IPA) continue to use our > current non-IPA DNS infrastructure for name resolution > * Servers in our environment have hostnames in several other non-IPA domains > (not ipa.domain.com) > * IPA DNS is configured to zone-transfer ipa.domain.com to our primary > infrastructure non-IPA DNS servers > * IPA is configured to forward all non ipa.domain.com requests to our primary > infrastructure non-IPA DNS servers > * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is > a slave on our primary non-IPA DNS servers > * IPA can resolve our Active Directory DNS (ad.domain.lan) > * Active Directory DNS can resolve IPA DNS (ipa.domain.com) > > Is this a sensible design for DNS? In this configuration, IPA does not > appear to be creating DNS records in ipa.domain.com for the hosts that we add > to IPA. This is presumably because the hosts themselves are in other domains > (not ipa.domain.com) which are not controlled by IPA. Is this going to cause > problems? It should work as long as AD and IPA controlled domains do not overlap. You have to put AD-directly-joined machines to one set of DNS domains and IPA-joined-machines to distinct set of DNS domains.
This is a requirement because you have to have unambiguous DNS domain -> Kerberos REALM mapping. > We have a requirement to keep all servers in our environment using our > primary non-IPA DNS servers for resolution. It seemed logical to use > IPA-integrated DNS just so IPA could manage the SRV/LDAP records > automatically within the IPA zone. This is definitely a good idea. > Any advice/tips/suggestions regarding this design would be greatly > appreciated. It should work just fine if you respect the limitation mentioned above. Let us know if you encounter any problems so we can help you with debugging. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
