Hi all,
We're testing some FreeIPA and Active Directory scenarios and would like
some guidance.
Situation :
- 2 FreeIPA Servers in Location A
- 2 MS Domain Controllers in Location A
- 2 FreeIPA Servers in Location B
- 1 MS Domain Controllers in Location B
- 2 domains with trust (ipa.lan, ad.lan)
- Users are all in AD, IPA uses external+posix groups for SSH/Sudo rules
- NTP and DNS are external to IPA
- all IPA servers are also trust agents and controllers
- IPA Locations enabled/turned ON
1) When IPA has a DNS record
"_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ipa.lan. 86400 IN
SRV 0 100 88 freeipa01.ipa.lan."
a) Does the middle part "Default-First-Site-Name" has anything to do with
ActiveDirectory and its trust?
b) Or is it just a name of IPA's first site?
c) Can it be changed?
2) Limiting IPA domain lookups (users, rules, ...) can be limited to a
single location by using *Locations* (meaning SRV records with priority 0
and 50),
but can I do the same with external users (ActiveDirectory users accessing
ipa-clients)?
a) "How to instruct Location A IPA's to fetch users from Location A
ActiveDirectorys, and not perform round-robin on both locations''?
b) Is it only related to the SRV priorities on DomainController's DNS?
(e.g. _gc._tcp.Default-First-Site....ad.lan IN SRC 0 100 88 ad01.ad.lan)
c) Does it have to do anything with DomainControllers Sites
(Default-First-Site-Name, Location-A-Site, Location-B-Site, ....)
3) Does IPA-AD trust depend on anything but the Trust Name?
a) Can I change the DomainController's site as I please? (move from
Location A to B, delete Default-First-Site-Name site, ...)?
Thank you for your time
--
Josip Domsic
Show replies by date