Thank you Craig and Martin for your useful input. You both definitely recommend not to use example.com for the internal IPA DNS.
I was in any case going to avoid .local suffix and any invented top-level domain, after some reading on this topic. Using a subdomain like internal.example.com seems reasonable. I was under the impression that the freeIPA domain needed to be a top-level one, but maybe I was wrong here? Can I still keep example.com outside and have freeIPA manage internal.example.com? On 4 February 2015 at 10:34, Martin Basti <[email protected]> wrote: > On 03/02/15 16:52, Craig White wrote: > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] > *On Behalf Of *Roberto Cornacchia > *Sent:* Tuesday, February 03, 2015 5:20 AM > *To:* [email protected] > *Subject:* [Freeipa-users] basic question on DNS configuration > > > > Hi guys, > > > > I can't wait to get freeIPA installed in our small enterprise, but I'd > first like to get a couple of basic things straight. > > > > My first doubt is about the DNS configuration. Currently, we use a setting > that I guess is rather common for small enterprises: > > > > We own an example.com domain which is managed by the DNS of an external > provider. > > > > A couple of subdomains point to public IP addresses outside our local > network (e.g. www.example.com is hosted at our internet provider, > server1.example.com points at a server hosted in a datacenter, etc). > > > > All the remaining subdomain (*.example.com) point at one IP which > corresponds to our local router. > > Then we use some simple forwarding rules to forward on to machines that > are behind the router (service1.example.com, desktop1.example.com, > desktop2.example.com, etc). > > > > Internally, because the enterprise is rather small, we are not using a > DNS, but simply /etc/hosts files on each machine. When they can't resolve > whatever.example.com, then the request goes to the external DNS. > > > > (sorry about the long-ish background information, probably this > configuration is commonly named somehow, but I don't know how) > > > > Now, a first simple question for you guys would be: > > When installing freeIPA, with DNS, is the network configuration above > still advisable? Can there be any problem? Or should I rather use a > different domain for the internal network (I would really NOT like this > option, but I'm very interested to know why I should, if that is the case). > > > > > > A second basic question is: > > Would you see any potential problem in installing freeIPA on a FC21 Server > which currently hosts Atlassian Jira + Atlassian Stash (therefore git > repositories) + the required mysql databases? > > My guess would be that they would not interfere, as: > > - httpd (and related ports) is currently unused) > > - Both Jira and Stash use thier own tomcat installation on custom ports > > - mysql shouldn't be a problem? > > - The machine isn't overloaded at all (4-5 developers use those services) > > > > Am I overlooking something? Obviously I'd rather have a dedicated freeIPA > server, but if the above mentioned coexistence isn't a problem, then this > would be more cost-effective. > > > > Thank you very much for your help, I'm looking forward to this upgrade. > > Roberto > > I would recommend that you create a ‘local’ domain for your internal LAN > though you certainly can use your domain name for both the internal LAN and > the external world. Obviously you would have to create ‘manual’ entries in > DNS for the external servers (like www.example.com) so your internal LAN > systems can resolve it. If you have a ‘local’ domain for your internal LAN, > there aren’t name collisions, no need to manually maintain DNS entries for > off-LAN servers and no confusion of essentially faking your LAN systems > into believing that the IPA server is authoritative for example.com > domain when the rest of the world thinks otherwise. The choice is yours. > > > > As for using F21 – you get the latest version of FreeIPA which is > something I wish I had here. > > > > Git / Stash / Jira represent a fairly hefty memory footprint even if there > isn’t that much CPU load. If you have the RAM and cpu cores to handle > tossing FreeIPA onto the stack, go for it. You probably will want a replica > too as the replica keeps your LAN running if the primary server is > unavailable for whatever reason and it minimizes backup needs substantially. > > > > Craig > > > > > Hello, > > For using 'local.' domain please read following message, to avoid issues > on Fedora: > https://www.redhat.com/archives/freeipa-users/2015-February/msg00010.html > > You cant use 'example.com' zone for internal IPA DNS. > > You can create your internal sub zone, like 'internal.example.com', ' > corp.example.com', where IPA managed hosts will be added. It is preferred > solution instead of creating '.local' hostnames. Then you can set up > global forwarder on IPA DNS to your external DNS, where other names than ' > internal.example.com' will be resolved. > > If I understand correctly, it is internal network, so you do not need > public resolvable domain names. > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
