Build a production IPA server without integrate DNS and NTP with client

Solution 1

you don't have to. You can use your existing dns and ntp server infrastructure but you will need to manage the ipa records on your on your own instead of having ipa take care of it.

In fact it does not really matter what servers run the dns service as long as the clients get their answers from you the infrastructure in place. You can, for instance, delegate a sub domain in your main dns server to the ipa domain controllers. You do not need to change anything on the clients, they will still query your dns servers, which in turn will poll the ipa domain controllers caching the info like they would do with any other external domain.

As to the ntp infrastructure, the same applies. What is important is the existence of a canonical time source on the network. Which one it is is not so important. Deploy the configs using your favourite config management tool.

Solution 2

DNS and NTP being synced between your IPA server and clients is critical for kerberos tickets to be issued and considered valid. That is why it is recommended by RedHat to set up your IPA server as an NTP server. DNS is more optional; the critical part of DNS is that forward and reverse lookups succeed and match.

The RedHat published guide on IdM (built on IPA) can be found here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#dns-reqs See section 2.4.6 for NTP more detailed explanation, and 3.5 for DNS.

The short overview of the two services: "Multiple DNS servers are usually configured, each one working as an authoritative resource for machines within a specific domain. Having the IdM server also be a DNS server is optional, but it is strongly recommended. When the IdM server also manages DNS, there is tight integration between the DNS zones and the IdM clients and the DNS configuration can be managed using native IdM tools. Even if an IdM server is a DNS server, other external DNS servers can still be used." (1.2.4, para 3)

"When the IdM server is the NTP server for the domain, all times and dates are synchronized before any other operations are performed. This allows all of the date-related services — including password expirations, ticket and certificate expirations, account lockout settings, and entry creation dates — to function as expected." (1.2.6, para 3)

Related videos on Youtube

10 : 31

Bài 2: Thiết Lập NTP Server - Rock Linux

Nhan Le

157

58 : 49

BackBox Software - How Organizations Can Automate Their Network Operations

BackBox Software

108

04 : 48

NTP Configuration in Server 2016

Tech NV

61

41 : 18

FreeIPA - Part 2 - Server and Client Install and Setup. An open source Active Directory alternative

Awesome Open Source

14

02 : 02

Build a production IPA server without integrate DNS and NTP with client (2 Solutions!!)

Roel Van de Paar

0

Author by

Hatem Mashaqi

Updated on September 18, 2022