hi, On Wed, Dec 12, 2012 at 7:45 PM, Patrick Bakker <[email protected]> wrote: > I just joined this list because I was curious about the recent discussion > that Rashard Kelly had started about whether to use FreeIPA's integrated DNS > or whether to disable DNS. I'm wondering about a very similar thing. I have > a bunch of Linux servers that I'd like to start manage more centrally but we > have Active Directory running the network right now. > > I looked at the bug attachment Petr Spacek recommended > (https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but one > thing I didn't see there is a discussion of whether to use an entirely > different domain. As this is the direction I'm inclined to I'm curious if > there is some good reason not to do it. > > Suppose I have a company ACME Widgets which is running acmewidgets.local > under Active Directory. Does it simplify anything if I were to run all my > Linux boxes under FreeIPA under an entirely different domain such as > acme.local?
we have an acme.local AD domain as well. Our AD domain controllers have integrated dns. The AD dns servers have an acme.tld zone as well (voor a split dns view of our internet facing infrastructure). What we have done is delegate a new subdomain of this acme.tld domain: unix.acme.tld; the new subdomain is for IPA, in your AD dns server you create a delagation of the acme.tld zone and create glue records for the NS servers of the IPA unix.acme.tld. So every time you create a replica of an IPA server you add a glue NS record to the delegation record. This is a recommended best practice by Microsoft (see http://support.microsoft.com/kb/909264, scroll down to section 'Other factors', section 'best practices'). > Since I have completely separate DNS records I shouldn't need to worry about > any DNS integration. Will this complicate a future trust between the AD > domain acmewidgets.local and the FreeIPA domain acme.local if I want to do > that at some point? I do not think so. In typical unix kerberos trusts, a sub domain implicitly trusts its parent. If you use separate zones you do not have this risk. -- groet, natxo _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
