Sumit Bose wrote:
NO. It is the other way round.
It is_not_ recommended and will not even work properly to use the same
DNS domain for IPA and AD. Even worse with using the same realm for
both, this cannot work at all.
It is required to have a different realm name for the IPA domain and it
is important to use a different DNS domain as well (a bit is possible
with hosts in the same DNS domain but you loose functionality here).
Where did you find the recommendation to user the same DNS domain and
Apologies I must have been unclear. What I was trying to say is that
we are going for the "hosts in the different DNS domain" deployment
- We have unique domain name and realm for IPA: company-ipa.org
- We use company-aws.org in AWS and have our own Active Directory
servers for: company-aws.org
- We want to use ipa-client to bind our servers to company-ipa.org but
use DNS names from company-aws.org for operation
Our end goal:
- We have many external AD forests we are linking to company-ipa.org one
at a time
- End goal: operate hosts with DNS name "company-aws.org" as IPA clients
of "company-ipa.org" using AD logins coming from the external trusts
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project