On Fri, 04 Mar 2016, Csaba Patyi wrote:
We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0
(CentOS 7) and we run into an issue.
We are following this documentation:
I know it is a little bit old and now the preferred method is trust and not
sync. But if my understanding is correct in trust you has to use 2
different domain like company.net <--> company.com and can not be user as
company.com <--> company.com
Youre understanding is not fully correct.
You cannot have IPA machines in the same DNS zone as Active Directory.
You can have IPA machines in a subdomain or a completely separate zone.
If you need to present IPA machines as part of Active Directory DNS
zone, you can use CNAME trick where machines are actually in
.ipa.company.com (A/AAAA in that DNS zone) and have a CNAME in
.company.com that points to the true name in .ipa.company.com.
Again, the reason for this is due to the fact that FreeIPA presents
itself as a separate Active Directory forest and it is impossible to
have two Active Directory forests to be in the same DNS zone. This is
Active Directory limitation, not FreeIPA.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project