On Tue, 13 Oct 2015, Petr Spacek wrote:
On 12.10.2015 22:20, Alexander Bokovoy wrote:
On Mon, 12 Oct 2015, Andy Thompson wrote:

-----Original Message-----
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Hoffmaster, John
Sent: Monday, October 12, 2015 3:46 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question


The company I work for  uses AD 2008R2 DC to resolve requests for
Unix/Linux servers in various environments, under one domain
example.com, with the Realm EXAMPLE.COM ?

Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as a
name server and forwarding all DNS requests to the windows DC's and still
keep everything in the example.com domain without creating a child domain
like  ipa.example.com ?


Add for RedHat 7, use hostnamectl set-hostname ipa.example.com

change the install IPA server  command to

ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com -
-realm=example.com --setup-dns --forwarder=AD_ipaddress


No.  The IPA domain has to be different than the AD domain.
This is true for any two separate Active Directory forests, and as IPA
represents itself as a separate AD forest for the trust relationship, it
is forced to follow Active Directory requirements.

In other words, IPA itself needs one separate domain for SRV records and other

Client machines may have hostnames in different domains as long as there is
1:1 mapping between domain->REALM (AD/IPA).
Yep. Let's say explicitly:
- IPA machines cannot belong to any domain of AD forest -- in terms of
  DNS this means they cannot have A/AAAA records in any AD domain's DNS
- IPA machines may have CNAMEs in an AD domain's DNS zone that point to
  A/AAAA records in IPA DNS zones.

If you follow these two rules, you'll have single sign-on working
between IPA and AD through the cross-forest trust.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to