On Mon, 09 Feb 2015, Guertin, David S. wrote:
For Active Directory cross-forest trusts to work, we need following records
to be in place:
_ldap._tcp.<DOMAIN>
_kerberos._udp.<DOMAIN>
_kerberos._tcp.<DOMAIN>
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.<DOMAIN>
_ldap._tcp.dc._msdcs.<DOMAIN>
_kerberos._udp.dc._msdcs.<DOMAIN>
_kerberos._tcp.dc._msdcs.<DOMAIN>
I've checked with nslookup, and for the IPA subdomain csns.example.com, all the
records are in place. For the parent example.com domain, though, the following
four records are not found:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._udp.dc._msdcs.example.com
Do these need to be manually added to our DNS records? I've never had
to manually add an SRV record before. If it matters, we are not using
our domain controllers as our DNS servers -- we have separate,
dedicated DNS servers in our environment.
Can you send me (off-list) logs as described in
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
