I consider deploying IPA in my organization.The environment is disconnected
from the internet.I have some concerns I'm not sure how to resolve.

The environment consists mostly of windows servers (thousands) and
workstations (ten thousand) managed by AD (CORP.COM). There is also a small
linux environment (up to a thousand servers) that are currently not
centerally managed (user-wise).

I want to utilize IPA and the AD trust feature to implement SSO.

I'd like to have a sub-domain ran by IPA (LINUX.CORP.COM).

Because the environment is windows dominated, the AD is used as the
authoritative DNS server for all forward and reverse lookup zones.

The AD trust requires that both the IPA and AD will be authoritative over
their respective forward and reverse lookup zones. However, the linux and
windows servers are spread across multiple subnets without any big-scale
logic, therefore it is not practical to create a reverse lookup zone for
each subnet in the IPA server as those subnets contain both linux and
windows machines.

I came up with some solutions:

1) Have only the AD as a DNS server and give up on ipa-client-install and
automatic client registration.

2) DNS synchronization between IPA and AD.

3) Have the IPA manage the forward zone (linux.corp.com), and have the
clients update its own A record automatically upon ipa-client-install,
while having the AD manage the reverse zones (A or B class subnets) with me
creating the PTR records manually. The IPA will be configured as a
conditional forwarder for linux.corp.com, while the AD will be configured
as a global forwarder in the IPA server.

I strongly dislike the first two solutions and I would like your opinion on
the feasibility of the third.

I'm also open for any other ideas.

If there aren't any, is this solution feasible?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to