0

Currently our network is all tied to Active Directory with both Windows and Linux workstations/servers. We would like to implement a Free IPA server that synchronizes authentication between a Linux domain (eg: linux.my.domain) and an Active Directory domain (win.my.domain). While there are multiple solutions for Windows+Linux authentication, AD and Free IPA(IdM) is a requirement of our customers.

What is the best way to configure these servers with DNS and DHCP? The network traffic must be able to communicate (eg: linux machines can ping windows machines). We were thinking that we would need two separate DNS servers connected to a DHCP server with two NICs. Using different subnets, the DHCP server would know where to route machines to their appropriate DNS servers.

Hopefully I haven't confused you. If so, I'm still trying to formulate a plan. I just wanted to see if anyone had ever done this before. Thanks for the advice in advance!

johnnybgood04
  • 49
  • 3

2 Answers2

2

What is the best way to configure these servers with DNS and DHCP?

There's not much special that has to happen here. There's no need to differentiate between windows and linux clients. Point your clients at a DNS resolver that has a delegated zone for AD clients pointing to your AD DNS servers and a delegated zone for the linux servers pointing to your linux DNS servers.

We were thinking that we would need two separate DNS servers connected to a DHCP server with two NICs. Using different subnets, the DHCP server would know where to route machines to their appropriate DNS servers.

This is a confusing statement. DHCP servers don't "route" anything. Regardless, as I mentioned above, there is no requirement, at least from DNS's perspective, to segregate your machines. Sometimes it's a good idea to segregate windows and linux machines for other reasons (security, administrative, firewall, etc.), but that's a different topic than you're asking about.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Right on. On the face of it, there's no reason to do a layer-2 segregation of the machines in question. – mfinni Sep 16 '14 at 01:38
  • Yep, that's correct - no reason to do so unless there are other policies in place that would require different OSes to be segregated. – EEAA Sep 16 '14 at 01:39
0

With regards to DNS configuration, please just make sure that your AD and FreeIPA runs under different domains&realms. If you run FreeIPA in the same domain as your AD, you will never be able to establish indirect AD integration with AD Trusts.

More deployment recommendations on FreeIPA wiki.

Martin Kosek
  • 386
  • 1
  • 3