Sumit Bose wrote:
NO. It is the other way round.

It is_not_  recommended and will not even work properly to use the same
DNS domain for IPA and AD. Even worse with using the same realm for
both, this cannot work at all.

It is required to have a different realm name for the IPA domain and it
is important to use a different DNS domain as well (a bit is possible
with hosts in the same DNS domain but you loose functionality here).

Where did you find the recommendation to user the same DNS domain and

Apologies I must have been unclear. What I was trying to say is that
we are going for the "hosts in the different DNS domain" deployment scenario ...

- We have unique domain name and realm for IPA:
- We use in AWS and have our own Active Directory servers for: - We want to use ipa-client to bind our servers to but use DNS names from for operation

Our end goal:
- We have many external AD forests we are linking to one at a time - End goal: operate hosts with DNS name "" as IPA clients of "" using AD logins coming from the external trusts


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to