[Freeipa-users] need info on AD / IPA coexistence

Brian Cook bcook at redhat.com
Thu Mar 8 17:07:07 UTC 2012 

If your AD realm is ABCD.CA and you want your unix realm to be UNIX.ABCD.CA then your FQDN should be ipaserver.unix.abcd.ca

When you delegate the zone from AD, you should have at least two IPA servers running bind listed.  

ipaserver1.unix.abcd.ad
ipaserver2.unix.abcd.ad

That way if one is down, you can still resolve names.

---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079




On Mar 8, 2012, at 8:54 AM, Sylvain Angers wrote:

> Alright!
> 
> I am now requesting to our DNS team
> 
> please delegate dns zone "unix.abcd.ca" to ???
> Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca?
> 
> does it matter?
> 
> thanks
> 
> 2012/3/8 Simo Sorce <simo at redhat.com>
> On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote:
> > Hi Again
> > Our current Linux/AIX servers fqdn should remain on abcd.ca domain
> >
> > I need an advice: Should the ipa server fqdn be ipa.abcd.ca or
> > ipa.unix.abcd.ca?
> 
> You can have machines on a different DNS domain with FreeIPA.
> So you can use unix.abcd.ca for your IPA server and still install
> clients in abcd.ca.
> 
> I think the onlt thing you should take care of is to make sure a
> abcd.ca -> UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm]
> section is available on all machines of the domain to avoid issues
> resolving the correct realm for clients in the other domain.
> 
> On clients this should be autometed in the very last release but the ipa
> server needs to be configured after install.
> 
> > and on the Linux/AIX server, should we add entry of both dns (ipa and
> > Microsoft AD) in resolv.conf?
> 
> No, that would not work. What you should do is ask your DNS admin to
> delegate you the unix.abcd.ca zone. Once that is done it doesn't matter
> which DNS you are querying they will know who to ask.
> If delegation is not possible you could still use named forwarders in
> both IPA and AD so that each DNS server still know where to forward
> requests for the specific domain. This again will allow you to use
> whatever DNS your network uses and have queries properly forwarded
> around.
> 
> > domain unix.abcd.ca
> > search unix.abcd.ca abcd.ca
> > nameserver ipa_adress
> > nameserver ad_adress
> >
> No, don't do this as a way to not configure the DNS servers, it won't
> work and will cause really confusing mis-behaviors if the DNS servers
> themselves do not know how to talk to each other.
> 
> If delegation of zones or forwarding is properly set up though then this
> scheme would allow you to have a fallback when either infrastructure is
> temporarily unreachable.
> >
> Simo.
> 
> --
> Simo Sorce * Red Hat, Inc * New York
> 
> 
> 
> 
> -- 
> Sylvain Angers
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120308/6653d558/attachment.htm>

More information about the Freeipa-users mailing list