Hello Chris,
I run a 4-node IPA cluster on AWS spanning a few global regions and
tied
into a particularly complex AD forest -- never had the DNS issues you
mention but I've never had to talk to IPA on-prem either.
Okay, may be I will have to investigate this.
And our setup is strange as we could never get the global AD admins
to make DNS
entries for us among other issues so we ended up choosing a totally new
TLD domain name to run IPA on and bind our servers against; this works
fine except we can't leverage kerberos based features because our realm
is different from our domain.
You can enrol IPA client through through Kerberos,
this correct?
- If VPC level changes are too much then it's pretty easy on an EC2
instance to override or alter DNS resolution, nameservers and search
order in ways that persist beyond reboot. Specific method depends OS you
are using and if you want to this on the CLI via ansible or manual
operations or if you want to do this at the cloud-init "just booting up"
I am dropping a file /etc/NetworkManager/conf.d/90-dns-none.conf using
ansible and then adding IPA server IP on /etc/resolve.conf
I don't know the exact scope of your situation but this seems like a
case for overriding the DNS settings on the EC2 hosts running IPA to
talk to your colo nameservers rather than the AWS designated ones that
show up via your DHCP Option Set
I wish its this, but I dont think so. If it was this, wouldn't doing
dig @192.168.30.8
neptune.external.example.com work at least? The
host 192.168.30.8 being in the office? How is your VPC? Do you have
public and private and NAT between? Or just a flat public? I went
with the later as I assumed IPA don't like working over NAT.
Thanks again for the feedback.
Regards,
William