On 26/10/2016 21:03, Ranbir wrote:

If I have two networks, say A and B, and I want both to use the same FreeIPA server, should I have one Freeipa domain for network A and a sub-domain for network B, (domain.local and b.domain.local), or should I create two top level domains (a.local and b.local)? What's the recommended way to do this?

Well, as a first point, I'd say never use a fake domain like ".local". Use a subdomain of some real domain that you already have - e.g. int.yourcompany.com. You don't need to expose it to the Internet if you don't want to, and a fake domain can cause you problems down the line.

Secondly: do you really need two domains? DNS domains are used as way to delegate administrative responsibility. If the same person is managing the DNS for both sites, then you can just as well use one domain. Personally I like to embed the site in the hostname (e.g. lon-srv-1.int.yourcomany.com), because there are many circumstance in which only the shortened hostname "lon-srv-1" is seen, such as syslog messages and bash prompts. Hence it's good for the hostname itself to be unambiguous.

But if you prefer a different DNS domain for equipment in each site, that's not a problem either. You can either create additional domains in FreeIPA (if you want to use the FreeIPA GUI/CLI to manage DNS records), or just have separate DNS domains managed elsewhere. If FreeIPA is managing your DNS, you can get it to manage your reverse DNS too, by creating domains like 10.in-addr.arpa and 168.192.in-addr.arpa.

Taking this to extreme: you don't even need to use the same DNS domain for your IPA and your other equipment. It's fine to have:


even if all the hosts are joined into the same Kerberos realm IPA.YOURDOMAIN.COM (which sounds like is what you're doing).

This is quite a good approach if you already have existing DNS for site1.yourdomain.com and site2.yourdomain.com which you don't want to change. Having FreeIPA manage its own domain makes it easier to automatically locate the Kerberos servers for the realm IPA.YOURDOMAIN.COM. But even that's not necessary if you are happy to create the necessary SRV records in the DNS yourself.

The final issue is IPA replicas in multiple sites. Personally I've put all my IPA replicas in the same DNS domain (ldap-1.ipa.yourcompany.com; ldap-2.ipa.yourcompany.com), and have never tried putting them in different DNS domains: e.g.


I'm not sure if you can do this, and I think it would be safer not to unless someone else on this list says it's OK.



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to