On 26/10/2016 21:03, Ranbir wrote:
If I have two networks, say A and B, and I want both to use the same
FreeIPA server, should I have one Freeipa domain for network A and a
sub-domain for network B, (domain.local and b.domain.local), or should
I create two top level domains (a.local and b.local)? What's the
recommended way to do this?
Well, as a first point, I'd say never use a fake domain like ".local".
Use a subdomain of some real domain that you already have - e.g.
int.yourcompany.com. You don't need to expose it to the Internet if you
don't want to, and a fake domain can cause you problems down the line.
Secondly: do you really need two domains? DNS domains are used as way to
delegate administrative responsibility. If the same person is managing
the DNS for both sites, then you can just as well use one domain.
Personally I like to embed the site in the hostname (e.g.
lon-srv-1.int.yourcomany.com), because there are many circumstance in
which only the shortened hostname "lon-srv-1" is seen, such as syslog
messages and bash prompts. Hence it's good for the hostname itself to be
But if you prefer a different DNS domain for equipment in each site,
that's not a problem either. You can either create additional domains
in FreeIPA (if you want to use the FreeIPA GUI/CLI to manage DNS
records), or just have separate DNS domains managed elsewhere. If
FreeIPA is managing your DNS, you can get it to manage your reverse DNS
too, by creating domains like 10.in-addr.arpa and 168.192.in-addr.arpa.
Taking this to extreme: you don't even need to use the same DNS domain
for your IPA and your other equipment. It's fine to have:
even if all the hosts are joined into the same Kerberos realm
IPA.YOURDOMAIN.COM (which sounds like is what you're doing).
This is quite a good approach if you already have existing DNS for
site1.yourdomain.com and site2.yourdomain.com which you don't want to
change. Having FreeIPA manage its own domain makes it easier to
automatically locate the Kerberos servers for the realm
IPA.YOURDOMAIN.COM. But even that's not necessary if you are happy to
create the necessary SRV records in the DNS yourself.
The final issue is IPA replicas in multiple sites. Personally I've put
all my IPA replicas in the same DNS domain (ldap-1.ipa.yourcompany.com;
ldap-2.ipa.yourcompany.com), and have never tried putting them in
different DNS domains: e.g.
I'm not sure if you can do this, and I think it would be safer not to
unless someone else on this list says it's OK.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project