The deployment I'm contemplating is as follows:
1. FreeIPA master at a central site,with AD Trust established to the primary DC.
2. Replicas of the FreeIPA master at 4 other sites (with varying WAN
latency between central and site),with replication agreements only
with to the master at the central site.
(So the AD trust is estalished only between the master IPA server and
the primary AD domain controller)
There is also an existing domain controller at each site that synchs
to the primary domain controller at the main site.
I'd like AD user access to Linux systems at each site to be stable
and consistent as possible, so to rule out the effect of WAN latency
and possibly intermittent connectivity (and a host of possibly other
unknown factors), I plan to establish an AD trust between the replica
at each site and the local AD domain controller. My thinking is that
AD user accounts information will then be available to the replica
almost as soon as it's available to the AD dc at that site.
So ultimately, the consistency of user information should be as good
as can be expected from AD's cross wan replication to remote sites,
even if the synchronisation between a replica and master is not 100%
sin synch at all times (e.g due to WAN latency).
My concern is that multiple trusts established this way may lead to
replication inconsistency betweend master IPA server and it's
replicas,especially in the case where the replica is seeing AD
information in different stages of replication.
My question: Does IPA cope with this scenario? Is it safe, and will it
improve AD authentication performance (at least from the user point of
view) to establish trust between each replica and the local domain
controller in each given site?
NOTE: I'm aware that AD replication also runs on a schedule and
'slaves' can lag the primary from around 180 minutes to a day
depending on WAN conditions.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project