Thanks for the clarification. Regards

2016-10-20 14:23 GMT-04:00 Alexander Bokovoy <>:

> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>> Hi Alexander,
>> I do belive is a DNS problem, the command failing are
>> host -t srv _ldap._tcp.ad_domain
>> or
>> dig SRV _ldap._tcp.ad_domain
>> after checkig the logs a see this error
>> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN':"
>> so i disable the dnssec validation on IPA and it work as expected, i will
>> setup dnssec on the windows side and enable dns validation once more on
>> IPA
>> to see if can get the same outcome.
> When you use DNSSEC validation, your DNS infrastructure should all be
> using DNSSEC. This does not depend on whether you are deploying trust to
> AD or not.
> In fact, when installing FreeIPA server, you have option to disable
> DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
> option exists in ipa-dns-install.
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to