Re: [Freeipa-users] Best practices for core servers
On 04/28/2014 01:03 PM, Bret Wortman wrote: We are planning to reconfigure our core Freeipa servers, basically building a replacement infrastructure and migrating to it. What we're planning right now is a core of three Freeipa servers each of which has a CA, with as much distribution of replication as we can manage. I imagine that means one of them replicates to the other two but am open to other ideas. You can configure them to replica to each other. For remote locations, we're planning to stand up caching-only DNS servers, as authenticating back to the main IPA servers works extremely well; it's just DNS that needs a little help. Any thoughts before I start setting these servers (VMs, most likely) up? You may want to read our upstream Deployment Recommendations article, it may save you some bad decisions from the start: http://www.freeipa.org/page/Deployment_Recommendations If we see that we missed anything in this article, it would be great to enhance it. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Best practices for core servers
I can already see from this that our key problem may have been that we had one server functioning as the hub and every other remote replica had just one agreement, but those agreements were all with the hub. So that hub had ten agreements. Badness. We'll give this some good attention as we move forward. Thanks for the pointer, Martin. Bret On 04/30/2014 03:15 AM, Martin Kosek wrote: On 04/28/2014 01:03 PM, Bret Wortman wrote: We are planning to reconfigure our core Freeipa servers, basically building a replacement infrastructure and migrating to it. What we're planning right now is a core of three Freeipa servers each of which has a CA, with as much distribution of replication as we can manage. I imagine that means one of them replicates to the other two but am open to other ideas. You can configure them to replica to each other. For remote locations, we're planning to stand up caching-only DNS servers, as authenticating back to the main IPA servers works extremely well; it's just DNS that needs a little help. Any thoughts before I start setting these servers (VMs, most likely) up? You may want to read our upstream Deployment Recommendations article, it may save you some bad decisions from the start: http://www.freeipa.org/page/Deployment_Recommendations If we see that we missed anything in this article, it would be great to enhance it. Martin smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Best practices for core servers
We are planning to reconfigure our core Freeipa servers, basically building a replacement infrastructure and migrating to it. What we're planning right now is a core of three Freeipa servers each of which has a CA, with as much distribution of replication as we can manage. I imagine that means one of them replicates to the other two but am open to other ideas. For remote locations, we're planning to stand up caching-only DNS servers, as authenticating back to the main IPA servers works extremely well; it's just DNS that needs a little help. Any thoughts before I start setting these servers (VMs, most likely) up? -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Best practices for core servers
On 28.4.2014 13:03, Bret Wortman wrote: We are planning to reconfigure our core Freeipa servers, basically building a replacement infrastructure and migrating to it. What we're planning right now is a core of three Freeipa servers each of which has a CA, with as much distribution of replication as we can manage. I imagine that means one of them replicates to the other two but am open to other ideas. For remote locations, we're planning to stand up caching-only DNS servers, as authenticating back to the main IPA servers works extremely well; it's just DNS that needs a little help. Could you be more specific? I'm very interested in any feedback about IPA DNS! Thank you! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users