Xetroximyn
asked on
IPA and DNS... how worried do I need to be if our DNS/network is a little disorganized...
We have two Red Hat servers right now. We just got a new VMware server and I am setting up VM's to replace our current servers. Someone suggested that I use IPA to make user management easier. So been going through the install for it andI see this warning
This warning is a little scary to me...
Right now our DNS is hosted on our SBS server... well... kind of... we have 3 subnets... 2 of them were just using the firewall DNS which was set to go straight out to the internet... only one of our subnets was really all pointed at the SBS server.... I just updated the firewalls to check the SBS server first...
I'm not super comfortable that our disorganized network will always have DNS working exactly right... To start... I don't plan to use the IPA servers for managing logging into anything except themselves. (i.e. they won't manage logins to any clients... there are just 2 RHEL servers... they are a both IPA servers, and they will only manage the SSH, Samba, and SFTP logins to themselves).... in that case is DNS any less important?
I am also wondering.... How hard is it to run DNS on RHEL?.... We only have the one windows domain server... so if it's down I don't want any DNS problems... I wonder if I should run DNS on linux instead.... but will that mess with our windows domain?
"DNS records are vital for nearly all IdM domain functions, including running LDAP directory services, Kerberos, and Active Directory integration.
Be extremely cautious and ensure that you have a tested and functional DNS service available if the IdM domain will not use an IdM-hosted DNS server. It is critical that you have properly configured A and PTR records."
This warning is a little scary to me...
Right now our DNS is hosted on our SBS server... well... kind of... we have 3 subnets... 2 of them were just using the firewall DNS which was set to go straight out to the internet... only one of our subnets was really all pointed at the SBS server.... I just updated the firewalls to check the SBS server first...
I'm not super comfortable that our disorganized network will always have DNS working exactly right... To start... I don't plan to use the IPA servers for managing logging into anything except themselves. (i.e. they won't manage logins to any clients... there are just 2 RHEL servers... they are a both IPA servers, and they will only manage the SSH, Samba, and SFTP logins to themselves).... in that case is DNS any less important?
I am also wondering.... How hard is it to run DNS on RHEL?.... We only have the one windows domain server... so if it's down I don't want any DNS problems... I wonder if I should run DNS on linux instead.... but will that mess with our windows domain?
ASKER
Thanks - I understand those basics... Im just a bit anxious because our DNS is run on a single SBS server... what if that server is down? does that mean nobody can log into our servers?
also I have static records for servers but what if there are any wrong records about clients.... will people from those clients still be able to log into servers? Like... if I am only using IPA to control authentication to my servers does the DNS of the clients matter? Or just the servers who's authentication is dependent on IPA?
also I have static records for servers but what if there are any wrong records about clients.... will people from those clients still be able to log into servers? Like... if I am only using IPA to control authentication to my servers does the DNS of the clients matter? Or just the servers who's authentication is dependent on IPA?
I always advocate having at least 2 internal AD/DNS servers but this is not always practical due to cost (and I think limitations of SBS). It is safe to run with just a single DNS server but you need to make sure your are backing up system state or if there is a failure you will loose everything... of course if the DNS server goes down the network will fail until you can bring it back online.
As to incorrect client records in DNS I would not worry about this if you are running DHCP on your SBS as it will automatically update client DNS records when they connect and get an IP. If you are running DHCP on your firewall/ router/ switch I would move it to your SBS server.
If you are concerned that your clients are not pointing to the internal DNS server simply check your DHCP scope options and make sure the only DNS server listed is your internal one.
eb
As to incorrect client records in DNS I would not worry about this if you are running DHCP on your SBS as it will automatically update client DNS records when they connect and get an IP. If you are running DHCP on your firewall/ router/ switch I would move it to your SBS server.
If you are concerned that your clients are not pointing to the internal DNS server simply check your DHCP scope options and make sure the only DNS server listed is your internal one.
eb
ASKER
So the thing is we have a few subnets send a remote location. So as far as I know DNS needs to be handled by the firewall for all the subnets except the one the SBS server is on. Is that right?
But that's part of what I'm worried about. What matters when it comes to IPA? The SBS DNS server might not have a record of a client in our remote office. Does that mean the client will have a hard time to ssh to our production server? Like, I'm guessing that it's not the records of the clients that really matter when it comes to IPA in less you are going to be using IPA to log into the clients. But if you're just using IPA to control the logins for a couple servers them I would think what really matters in the DNS is that the DNS is all correct for your servers and your IPA servers. Would you agree?
But that's part of what I'm worried about. What matters when it comes to IPA? The SBS DNS server might not have a record of a client in our remote office. Does that mean the client will have a hard time to ssh to our production server? Like, I'm guessing that it's not the records of the clients that really matter when it comes to IPA in less you are going to be using IPA to log into the clients. But if you're just using IPA to control the logins for a couple servers them I would think what really matters in the DNS is that the DNS is all correct for your servers and your IPA servers. Would you agree?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
eb