It is recommended that you use DNS to facilitate Service Discovery in IPA. Service Discovery refers to the way that IPA clients find (or discover) IPA servers. You can use the basic DNS configuration that is provided with IPA to configure an existing DNS to work with IPA, or pass the --setup-bind option to the ipa-server-install command to configure a new DNS. The DNS does not need to be on the same machine as the IPA server, but it does need to be correctly configured and fully functional.
The --setup-bind option is an optional parameter that can be passed to the ipa-server-install script. This is provided for convenience only; it is not a supported aspect of IPA.
To aid in the creation and configuration of a suitable DNS setup, the IPA installation creates a sample zone file. During the installation you will see a message similar to the following:
Sample zone file for bind has been created in /tmp/sample.zone.F_uMf4.db
You should use this file in your zone file in DNS. Further, you need to ensure that your FQDN does not resolve to your loopback address.
It is recommended that you avoid or restrict the use of nscd (Name Service Caching Daemon) in a Red Hat Enterprise IPA deployment. The nscd service is extremely useful for reducing the load on the server, and for making clients more responsive, but drawbacks also exist.
nscd performs caching operations for all services that perform queries via the nsswitch interface, including getent. Because nscd performs both positive and negative caching, if a request determines that a specific IPA user does not exist, it marks this as a negative cache. Values stored in the cache remain until the cache expires, regardless of any changes that may occur on the server.
The results of such caching is that new users and memberships may not be visible, and users and memberships that have been removed may still be visible.
To alleviate these effects, you can avoid the use of nscd altogether, or use a shorter cache time. In particular, consider changing the following values in the /etc/nscd.conf file to suit the usage patterns of your deployment:
positive-time-to-live group 3600 negative-time-to-live group 60 positive-time-to-live hosts 3600 negative-time-to-live hosts 20
Kerberos, too, has very specific DNS requirements. The Kerberos server requires a valid DNS A record, and reverse DNS needs to work correctly. Do not use CNAME or DDNS names, as it can cause major problems later. The IPA installation process includes checks to ensure that the IPA server name is a DNS A record and that its reverse and forward addresses match.
Refer to Red Hat Enterprise IPA, Kerberos, and DNS in the Red Hat Enterprise IPA Administrator's Reference for more information on how these technologies work together.