[Freeipa-users] need info on AD / IPA coexistence

[Simo Sorce]

On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote:
> Hi Again
> Our current Linux/AIX servers fqdn should remain on abcd.ca domain 
>  
> I need an advice: Should the ipa server fqdn be ipa.abcd.ca or
> ipa.unix.abcd.ca?

You can have machines on a different DNS domain with FreeIPA.
So you can use unix.abcd.ca for your IPA server and still install
clients in abcd.ca.

I think the onlt thing you should take care of is to make sure a
abcd.ca -> UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm]
section is available on all machines of the domain to avoid issues
resolving the correct realm for clients in the other domain.

On clients this should be autometed in the very last release but the ipa
server needs to be configured after install.

> and on the Linux/AIX server, should we add entry of both dns (ipa and
> Microsoft AD) in resolv.conf?  

No, that would not work. What you should do is ask your DNS admin to
delegate you the unix.abcd.ca zone. Once that is done it doesn't matter
which DNS you are querying they will know who to ask.
If delegation is not possible you could still use named forwarders in
both IPA and AD so that each DNS server still know where to forward
requests for the specific domain. This again will allow you to use
whatever DNS your network uses and have queries properly forwarded
around.

> domain unix.abcd.ca
> search unix.abcd.ca abcd.ca 
> nameserver ipa_adress
> nameserver ad_adress
> 
No, don't do this as a way to not configure the DNS servers, it won't
work and will cause really confusing mis-behaviors if the DNS servers
themselves do not know how to talk to each other.

If delegation of zones or forwarding is properly set up though then this
scheme would allow you to have a fallback when either infrastructure is
temporarily unreachable.
> 
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York