Re: [Freeipa-users] Trust relationship redundancy
On Wed, 05 Nov 2014, William Muriithi wrote: Peter, Sorry, missed your response earlier. On 4.11.2014 21:57, William Muriithi wrote: Afternoon, I have two AD and would like to retain that redundancy within IPA after establishing trust relationship. How would one achieve that? I have attempted the following: [root@ipa3-yyz-int ~]# ipa dnszone-add example.local --name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local --admin-email='systemad...@example.com' --force --forwarder=10.10.10.90 --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.90 --ip-address=10.10.10.91 ipa: ERROR: invalid 'idnssoamname': Only one value is allowed And got the following error above Hello, Could you explain what you are trying to achieve, please? Was trying to make sure trust remain in place even if we loose one of the master master AD What version of FreeIPA do you use? Version 3.3. Default on centos 7 with all updates applied. Not at office at the moment so can't post rpm precise version Commands 'ipa dnszone-*' manage DNS and are >not strictly related to AD trusts. If you add DNS zone to one IPA server it is >automatically served by all other servers. This applies to master & forward zones >too. Ah. I see. I misunderstood the documentation then. So, would ipa know there are two active directories in the network even without being explicit on the configuration? I am guessing through DNS? IPA uses DNS SRV records to discover AD DCs to talk to. You can read more about the mechanism Windows uses to discover services via DNS here: http://msdn.microsoft.com/en-us/library/cc717360.aspx If you want redundancy on Active Directory side, make sure DNS zone for Active Directory forest contains SRV records as explained in the MS-ADTS 6.3.6.1 and these records mention all required servers. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trust relationship redundancy
Peter, Sorry, missed your response earlier. On 4.11.2014 21:57, William Muriithi wrote: > Afternoon, > > I have two AD and would like to retain that redundancy within IPA after > establishing trust relationship. How would one achieve that? > > I have attempted the following: > > > [root@ipa3-yyz-int ~]# ipa dnszone-add example.local > --name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local > --admin-email='systemad...@example.com' --force --forwarder=10.10.10.90 > --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.90 > --ip-address=10.10.10.91 > ipa: ERROR: invalid 'idnssoamname': Only one value is allowed > > And got the following error above > >Hello, >Could you explain what you are trying to achieve, please? Was trying to make sure trust remain in place even if we loose one of the master master AD >What version of FreeIPA do you use? Version 3.3. Default on centos 7 with all updates applied. Not at office at the moment so can't post rpm precise version >Commands 'ipa dnszone-*' manage DNS and are >not strictly related to AD >trusts. >If you add DNS zone to one IPA server it is >automatically served by all other >servers. This applies to master & forward zones >too. Ah. I see. I misunderstood the documentation then. So, would ipa know there are two active directories in the network even without being explicit on the configuration? I am guessing through DNS? If not, what would be needed to clue it of this fact? >To get full redundancy for *master* zones you >have to add all names of IPA >DNS >servers to NS records in the zone and also to its >parent zone. (BTW FreeIPA >4.1 will manage in-zone NS records automatically for you.) >For forward zones you don't need to do anything >else. It should just work. -- Petr^2 Spacek Thanks William -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 76, Issue 10 * -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Trust relationship redundancy
On 4.11.2014 21:57, William Muriithi wrote: Afternoon, I have two AD and would like to retain that redundancy within IPA after establishing trust relationship. How would one achieve that? I have attempted the following: [root@ipa3-yyz-int ~]# ipa dnszone-add example.local --name-server=srvyyzdc02.example.local --name-server=srvyyzdc01.example.local --admin-email='systemad...@example.com' --force --forwarder=10.10.10.90 --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.90 --ip-address=10.10.10.91 ipa: ERROR: invalid 'idnssoamname': Only one value is allowed And got the following error above This however works ipa dnszone-add example.local --name-server=srvyyzdc02.example.local --admin-email='systemad...@example.com ' --force --forwarder=10.10.10.91 --forward-policy=only --ip-address=10.10.10.91 What should I have done to get redundancy working? If this is not possible currently, any chance it can be implemented some day? Hello, Could you explain what you are trying to achieve, please? What version of FreeIPA do you use? Commands 'ipa dnszone-*' manage DNS and are not strictly related to AD trusts. If you add DNS zone to one IPA server it is automatically served by all other servers. This applies to master & forward zones too. To get full redundancy for *master* zones you have to add all names of IPA DNS servers to NS records in the zone and also to its parent zone. (BTW FreeIPA 4.1 will manage in-zone NS records automatically for you.) For forward zones you don't need to do anything else. It should just work. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project