please let me correct this:

IPA cares only about correct DNS records. It does not matter if IPA manages
the DNS server or if the server is external entity - everything will work as
long as all records are in place.

IPA installers should give you standard zone file which can be added to
existing DNS servers.

On 18.5.2015 16:13, Baird, Josh wrote:
> You should add your IPA zone as a slave on your 'external' DNS servers so 
> they are able to resolve the IPA zone.

If you decide to use IPA DNS then you *most importantly* need to add proper NS
records to the parent zone to ensure that DNS delegation is correct.

Slave zones are just 'nice to have' for improved resiliency but they should
never be used instead of proper NS records.

Let me know if you are interested in some other details.

Petr^2 Spacek

> Josh
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden
> Sent: Monday, May 18, 2015 10:10 AM
> To: Freeipa-users
> Subject: [Freeipa-users] AD-trust and external DNS
> Hi all,
> Creating an AD-trust works nicely. However, for some customers both AD and 
> IPA don't have have DNS "for their own", the use external DNS (Infoblox for 
> example)
> Now, is is possible to create an AD trust without a build-in (bind) IPA-DNS?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to