Thank you Rafael. Those directions are straight forward. I'll be able to test this on Monday when I am back at work.
________________________________ From: Rafael Jeffman <[email protected]> Sent: Friday, January 13, 2023 8:42 PM To: FreeIPA users list <[email protected]> Cc: Jeremy Tourville <[email protected]> Subject: Re: [Freeipa-users] AD Conditional Forwarder to IdM failure Hi Jeremy, On Fri, Jan 13, 2023 at 4:00 PM Jeremy Tourville via FreeIPA-users <[email protected]<mailto:[email protected]>> wrote: > > I am following the directions from here: > > Section: 32.6.4. Configuring DNS forwarding in AD > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management#configuring-dns-forwarding-in-ad_configuring-dns-and-realm-settings-for-a-trust > > I get an error message from AD DNS "The server with this IP Address is not > authoritative for the required zone" > > This error makes me think there is a problem with my IdM DNS server. > > My setup is AD integrated and a one way trust is established with AD. I was > able to create a forwarder from IdM to AD without issue. > > My domains: > AD = gsil.mil<http://gsil.mil> > IdM = idm.gsil.mil<http://idm.gsil.mil> > You may also take a look at: https://www.freeipa.org/page/Active_Directory_trust_setup Search for "If IPA is subdomain of AD", as your IdM domain is a subdomain of AD. You may need to set an NS record to delegate authoritative answers from AD DNS to IdM DNS. Rafael > I have been reading: > 86.1. Supported DNS zone types > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/managing-dns-zones-in-idm_configuring-and-managing-idm#adding-a-primary-dns-zone-in-idm-web-ui_managing-dns-zones-in-idm > and > 6.1. The two roles of an IdM DNS server > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/working_with_dns_in_identity_management/managing-dns-forwarding-in-idm_working-with-dns-in-identity-management#the-two-roles-of-an-idm-dns-server_managing-dns-forwarding-in-idm > > as well as several articles on DNS forwarding vs DNS delegation for AD. > > This is a step that I was able to make work with no issues in a previous > setup/installation. > > Red Hat documentation states: > 86.1 Supported DNS Zone Types > "Forward DNS zones > > From the perspective of IdM, forward DNS zones do not contain any > authoritative data. In fact, a forward "zone" usually only contains two > pieces of information: > - A domain name > - The IP address of a DNS server associated with the domain " > > > 6.1. The two roles of an IdM DNS server > By default, the Berkeley Internet Name Domain (BIND) service integrated with > IdM acts as both an authoritative and a recursive DNS server: > > Authoritative DNS server > When a DNS client queries a name belonging to a DNS zone for which the IdM > server is authoritative, BIND replies with data contained in the configured > zone. Authoritative data always takes precedence over any other data. > > I am still having some confusion why this is not working. Can someone > enlighten me? > _______________________________________________ > FreeIPA-users mailing list -- > [email protected]<mailto:[email protected]> > To unsubscribe send an email to > [email protected]<mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
