Adding a forward zone like Martin suggested works. I will definitely read the section you linked to get a better understanding of the differences between both.
Doing a dig for google.com won't work in our case, because the servers are not internet-facing. Stijn -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday 22 February 2016 11:05 To: email@example.com Subject: Re: [Freeipa-users] DNS operation timed out when installing IPA with forwarders On 19.2.2016 15:09, Martin Basti wrote: > On 19.02.2016 14:57, Geselle Stijn wrote: >> That seems to fail: >> >> [root@ipa ~]# dig @192.168.1.1 . SOA >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> @192.168.1.1 . SOA ; (1 >> server >> found) ;; global options: +cmd ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44900 ;; flags: >> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: >> ;. IN SOA >> >> ;; Query time: 11153 msec >> ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Feb 19 14:42:51 >> CET 2016 ;; MSG SIZE rcvd: 28 >> >> >> But if I add a new record (e.g. CNAME) to DNS in Windows Server and >> try to ping to that CNAME, I get resolved correctly. >> >> -Stijn > Hello, > > global forwarders, specified by --forwarder option during installation > or added via ipa dnsconfig-mod, must be able to resolve root zone > (your forwarder/server 192.168.1.1 is not able to return result for root > zone). > > You probably need to specify forwardzone, for the particular windows > domain you use, instead of specify it as global forwarder. > > ipa dnsforwardzone-add <your.windows.zone.> --forwarder 192.168.1.1 Martin could be right, but this depends on your setup. Please read chapter "Managing DNS Forwarding" in our docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html It explains the difference between global and per-zone forwarding (I hope :-) so it will be easier to decide what should be used. BTW does the command $ dig @192.168.1.1 www.google.com. SOA work? (Assuming that neither google.com. nor com. are your AD domains :-)) Petr^2 Spacek >> -----Original Message----- >> From: freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek >> Sent: Friday 19 February 2016 13:59 >> To: firstname.lastname@example.org >> Subject: Re: [Freeipa-users] DNS operation timed out when installing >> IPA with forwarders >> >> On 19.2.2016 13:50, Geselle Stijn wrote: >>> Hello fellow FreeIPA users, >>> >>> I'm trying to setup FreeIPA in a lab environment (VirtualBox): >>> >>> >>> - ad.example.com (Windows Server 2008 R2) - 192.168.1.1 >>> >>> - ipa.example.com (CentOS 7.2) - 192.168.1.2 >>> Both machines can ping each other, DNS resolving works: >>> >>> [root@ipa ~] nslookup ad >>> Server: 192.168.1.1 >>> Address: 192.168.1.1#53 >>> >>> Name: ad.example.com >>> Address: 192.168.1.1 >>> >>> >>> I executed: >>> >>> yum install -y "*ipa-server*" bind bind-dyndb-ldap >>> ipa-server-install --domain=example.com --realm=EXAMPLE.COM >>> --setup-dns >>> --forwarder=192.168.1.1 >>> >>> But the installation wizard fails at: >>> >>> Checking DNS forwarders, please wait ... >>> ipa : ERROR DNS server 192.168.1.1: query '. SOA': The DNS >>> operation timed out after 10.00124242 seconds >>> ipa.ipapython.install.cli.install_tool(Server): ERROR DNS server >>> 192.168.1.1: query '. SOA': The DNS operation timed out after >>> 10.00124242 seconds >>> >>> >>> Is there some way I can better troubleshoot this? Can I increase the >>> DNS timeout (maybe it's simply slow via VirtualBox). >> Please try command >> $ dig @192.168.1.1 . SOA >> and paste the output here. >> >> Also, please run the installer again with option --debug. >> >> I will have a look. >> >> Thank you. >> >> -- >> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project