On ke, 05 loka 2016, Chris Dagdigian wrote:
Hi folks,
Working on a hairy multiple AD Forest integration issue in AWS and
would appreciate a sanity check - I've been wrong so many times about
IPA setup and navigating transitive AD trusts so many times I figured
it was time to ask questions first before falling on my face again,
heh.
After reading the documentation we ended up getting a new domain name
to run our IPA server on -- seemed easier than creating and delegating
a subdomain off of the primary AD server.
This is what we have:
AD Forest #1: company-test.org
AD Forest #2: company-aws.org
IPA Server : company-ipa.org
The IPA server at company-ipa.org has successfully created 1-way
trusts to the AD servers for company-test.org and company-aws.org
I'm at the point now where I'm ready to try installing IPA clients and
have a simple sanity check question:
##
Can I launch a server in AWS with a hostname of "test.company-aws.org"
yet bind it to my IPA server at "ipa.company-ipa.org" so it can manage
users etc. ?
##
I was thinking of a command like:
# ipa-client-install \
--domain company-aws.org \
--server ipa.company-ipa.org \
--realm COMPANY-AWS.ORG
Would appreciate a quick sanity check on if this is possible or
supported. The ipa-client-install command is failing ("cant verify
that server is an IPA server ..." ) but I'm not sure if it's because
I've got a config / DNS / port problem or if I'm (once again) trying
to do something stupid with IPA ...
You need to read this:
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
to understand all limitations and problems.
This is technical description. For higher level, see
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
