Re: [Freeipa-users] DNS Design for FreeIPA4
On 15.1.2015 20:51, Baird, Josh wrote: Hi, We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: * FreeIPA runs integrated DNS (ie, ipa.domain.com) * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com) * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrastructure non-IPA DNS servers * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers * IPA can resolve our Active Directory DNS (ad.domain.lan) * Active Directory DNS can resolve IPA DNS (ipa.domain.com) Is this a sensible design for DNS? In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA. Is this going to cause problems? It should work as long as AD and IPA controlled domains do not overlap. You have to put AD-directly-joined machines to one set of DNS domains and IPA-joined-machines to distinct set of DNS domains. This is a requirement because you have to have unambiguous DNS domain - Kerberos REALM mapping. We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution. It seemed logical to use IPA-integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone. This is definitely a good idea. Any advice/tips/suggestions regarding this design would be greatly appreciated. It should work just fine if you respect the limitation mentioned above. Let us know if you encounter any problems so we can help you with debugging. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS Design for FreeIPA4
Josh, First, sorry for top posting, on a stupid cell. You miss the point that dns is not only used for name resolution, but also hosting configurations. If something is not right about dns, lots of incorrect info will be embedded on your ipa clients. Make it simple as Simon said and point your ipa clients to ipa servers. Redhat recommend you point your ipa clients to ipa server. Microsoft recommend the same thing, point windows clients to AD. William, I don't understand why I would have problems if AD DNS can resolve IPA dns, and IPA DNS can resolve AD DNS? The DNS servers that my servers are using can resolve both AD and IPA. Thanks, Josh -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of William Muriithi Sent: Thursday, January 15, 2015 8:08 PM To: freeipa-users@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] DNS Design for FreeIPA4 Josh, You will have problems if you go with below plan in my opinion. I used arrangements like the one you listed below when I used freeipa 2.2. This worked for me only when I had users hosted on freeipa. After upgrading to 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa server for it to work reliably Especially if you plan to point them to AD, it wouldn't work as AD use dns for configuration just like ipa, do there will be conflict. William We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: * FreeIPA runs integrated DNS (ie, ipa.domain.com) * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com) * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrwastructure non-IPA DNS servers * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers * IPA can resolve our Active Directory DNS (ad.domain.lan) * Active Directory DNS can resolve IPA DNS (ipa.domain.com) Is this a sensible design for DNS? In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA. Is this going to cause problems? We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution. It seemed logical to use IPA- integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone. Any advice/tips/suggestions regarding this design would be greatly appreciated. Thanks, Josh -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 78, Issue 62 * -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS Design for FreeIPA4
On Fri, 16 Jan 2015 11:58:12 -0500 William Muriithi william.murii...@gmail.com wrote: Josh, First, sorry for top posting, on a stupid cell. You miss the point that dns is not only used for name resolution, but also hosting configurations. If something is not right about dns, lots of incorrect info will be embedded on your ipa clients. Make it simple as Simon said and point your ipa clients to ipa servers. Redhat recommend you point your ipa clients to ipa server. Microsoft recommend the same thing, point windows clients to AD. Hi William, we just recommend that IPA clients have names in IPA managed domains, the DNS server the clients actually point to does not really matter as long as proper DNS resolution happens (either using forwarding or delegation). Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS Design for FreeIPA4
William, I don't understand why I would have problems if AD DNS can resolve IPA dns, and IPA DNS can resolve AD DNS? The DNS servers that my servers are using can resolve both AD and IPA. Thanks, Josh -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of William Muriithi Sent: Thursday, January 15, 2015 8:08 PM To: freeipa-users@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] DNS Design for FreeIPA4 Josh, You will have problems if you go with below plan in my opinion. I used arrangements like the one you listed below when I used freeipa 2.2. This worked for me only when I had users hosted on freeipa. After upgrading to 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa server for it to work reliably Especially if you plan to point them to AD, it wouldn't work as AD use dns for configuration just like ipa, do there will be conflict. William We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: * FreeIPA runs integrated DNS (ie, ipa.domain.com) * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com) * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrwastructure non-IPA DNS servers * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers * IPA can resolve our Active Directory DNS (ad.domain.lan) * Active Directory DNS can resolve IPA DNS (ipa.domain.com) Is this a sensible design for DNS? In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA. Is this going to cause problems? We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution. It seemed logical to use IPA- integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone. Any advice/tips/suggestions regarding this design would be greatly appreciated. Thanks, Josh -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 78, Issue 62 * -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS Design for FreeIPA4
Hi, KISS keep it simple and stupid. What we do is, AD domain is domain.com and does all its own DNS and Kerberos, all windows machines point at it etc IPA domain is ipa.domain.com and all IPA's and indeed all Linux servers point at IPA for everything incl NTP. IPA servers use the AD servers as forwarders to get WWW DNS answers etc. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Baird, Josh jba...@follett.com Sent: Friday, 16 January 2015 3:30 p.m. To: William Muriithi; freeipa-users@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] DNS Design for FreeIPA4 William, I don't understand why I would have problems if AD DNS can resolve IPA dns, and IPA DNS can resolve AD DNS? The DNS servers that my servers are using can resolve both AD and IPA. Thanks, Josh -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of William Muriithi Sent: Thursday, January 15, 2015 8:08 PM To: freeipa-users@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] DNS Design for FreeIPA4 Josh, You will have problems if you go with below plan in my opinion. I used arrangements like the one you listed below when I used freeipa 2.2. This worked for me only when I had users hosted on freeipa. After upgrading to 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa server for it to work reliably Especially if you plan to point them to AD, it wouldn't work as AD use dns for configuration just like ipa, do there will be conflict. William We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: * FreeIPA runs integrated DNS (ie, ipa.domain.com) * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com) * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrwastructure non-IPA DNS servers * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers * IPA can resolve our Active Directory DNS (ad.domain.lan) * Active Directory DNS can resolve IPA DNS (ipa.domain.com) Is this a sensible design for DNS? In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA. Is this going to cause problems? We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution. It seemed logical to use IPA- integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone. Any advice/tips/suggestions regarding this design would be greatly appreciated. Thanks, Josh -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 78, Issue 62 * -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS Design for FreeIPA4
Josh, You will have problems if you go with below plan in my opinion. I used arrangements like the one you listed below when I used freeipa 2.2. This worked for me only when I had users hosted on freeipa. After upgrading to 3.3 for trust, it became very unreliable and had to point the ipa clients to ipa server for it to work reliably Especially if you plan to point them to AD, it wouldn't work as AD use dns for configuration just like ipa, do there will be conflict. William We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: * FreeIPA runs integrated DNS (ie, ipa.domain.com) * Servers in our environment (even once joined to IPA) continue to use our current non-IPA DNS infrastructure for name resolution * Servers in our environment have hostnames in several other non-IPA domains (not ipa.domain.com) * IPA DNS is configured to zone-transfer ipa.domain.com to our primary infrwastructure non-IPA DNS servers * IPA is configured to forward all non ipa.domain.com requests to our primary infrastructure non-IPA DNS servers * ipa.domain.com DNS can be resolved from all non-IPA DNS servers since it is a slave on our primary non-IPA DNS servers * IPA can resolve our Active Directory DNS (ad.domain.lan) * Active Directory DNS can resolve IPA DNS (ipa.domain.com) Is this a sensible design for DNS? In this configuration, IPA does not appear to be creating DNS records in ipa.domain.com for the hosts that we add to IPA. This is presumably because the hosts themselves are in other domains (not ipa.domain.com) which are not controlled by IPA. Is this going to cause problems? We have a requirement to keep all servers in our environment using our primary non-IPA DNS servers for resolution. It seemed logical to use IPA-integrated DNS just so IPA could manage the SRV/LDAP records automatically within the IPA zone. Any advice/tips/suggestions regarding this design would be greatly appreciated. Thanks, Josh -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 78, Issue 62 * -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project