On 15.1.2015 20:51, Baird, Josh wrote:
> Hi,
> 
> We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment.  We 
> plan on establishing a trust with AD at some point during the POC.  An 
> overview of the current DNS design:
> 
> * FreeIPA runs integrated DNS (ie, ipa.domain.com)
> * Servers in our environment (even once joined to IPA) continue to use our 
> current non-IPA DNS infrastructure for name resolution
> * Servers in our environment have hostnames in several other non-IPA domains 
> (not ipa.domain.com)
> * IPA DNS is configured to zone-transfer ipa.domain.com to our primary 
> infrastructure non-IPA DNS servers
> * IPA is configured to forward all non ipa.domain.com requests to our primary 
> infrastructure non-IPA DNS servers
> * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is 
> a slave on our primary non-IPA DNS servers
> * IPA can resolve our Active Directory DNS (ad.domain.lan)
> * Active Directory DNS can resolve IPA DNS (ipa.domain.com)
> 
> Is this a sensible design for DNS?  In this configuration, IPA does not 
> appear to be creating DNS records in ipa.domain.com for the hosts that we add 
> to IPA.  This is presumably because the hosts themselves are in other domains 
> (not ipa.domain.com) which are not controlled by IPA.  Is this going to cause 
> problems?
It should work as long as AD and IPA controlled domains do not overlap. You
have to put AD-directly-joined machines to one set of DNS domains and
IPA-joined-machines to distinct set of DNS domains.

This is a requirement because you have to have unambiguous DNS domain ->
Kerberos REALM mapping.

> We have a requirement to keep all servers in our environment using our 
> primary non-IPA DNS servers for resolution.  It seemed logical to use 
> IPA-integrated DNS just so IPA could manage the SRV/LDAP records 
> automatically within the IPA zone.
This is definitely a good idea.

> Any advice/tips/suggestions regarding this design would be greatly 
> appreciated.
It should work just fine if you respect the limitation mentioned above. Let us
know if you encounter any problems so we can help you with debugging.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to