To start off, my experience lies in networking (Cisco) and Windows. That being said, I have been set off on a project to design a multi-site FreeIPA installation. I have single site FreeIPA without a problem. Where I am running into problems is multi-site.
Let's say that I have three sites:
- site1.example.com
- site2.example.com
- site3.example.com
I want to have as my overarching realm example.com. Do I need to have an IPA server to run example.com?
When I created the first IPA server, ipa.site1.example.com, and used the example.com realm name, no dns zone was created for example.com. I only have a dns zone for site1.example.com.
The documentation for realms and dns zones seems to be next to nonexistent (or I am just looking in the wrong direction). If anyone has experience with this set up, or can point me in the right direction, I would appreciate it.
Best Answer
No you don't need an IPA-Server running in "example.com" but you need a correctly set-up DNS Server that correctly delegates the subdomains "site1/2/3.exmaple.com" to their authoritative DNS (I'd suggest let the IPA-servers handle their DNS themselves).
For each realm just add the following two records to your "example.com" Zone - and you're done. I'd suggest you point the A-Records directly to your "subdomain" IPA-Server and have them handle their own SubDomains DNS-Zone.
I just did that as well - with two realms "test.example.com" and prod.example.com without an existing "example.com".
But be aware that the
ipa-install-server
script by default might use real public ROOT-DNS-Servers to resolve your domain even if the system itself has other resolvers configured so you have to define the forwarders on the ipa-server-install command-line that know how to handle e.g. like.where XX.XX.XX.XX is the IP of your DNS-Server for "example.com"
This should do the trick. Have a look at
man ipa-server-install
and search for "forward" to get more details.