On Fri, 04 Mar 2016, Csaba Patyi wrote:
Hi Everybody,
We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0
(CentOS 7) and we run into an issue.
We are following this documentation:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory.html
I know it is a little bit old and now the preferred method is trust and not
sync. But if my understanding is correct in trust you has to use 2
different domain like company.net <--> company.com and can not be user as
company.com <--> company.com
Youre understanding is not fully correct.
You cannot have IPA machines in the same DNS zone as Active Directory.
You can have IPA machines in a subdomain or a completely separate zone.
If you need to present IPA machines as part of Active Directory DNS
zone, you can use CNAME trick where machines are actually in
.ipa.company.com (A/AAAA in that DNS zone) and have a CNAME in
.company.com that points to the true name in .ipa.company.com.
Again, the reason for this is due to the fact that FreeIPA presents
itself as a separate Active Directory forest and it is impossible to
have two Active Directory forests to be in the same DNS zone. This is
Active Directory limitation, not FreeIPA.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
