Check additional UPN suffixes associated with the IPA realm on Active Directory side.
- Setup IPA Server per QA:Testcase_freeipav3_installation with integrated DNS
- Setup additional domains associated with IPA realm per QA:Testcase_freeipav3_ad_realmdomains
- Setup Active Directory trust per QA:Testcase_freeipav3_ad_trust
During the process of establishing trust with AD, Active Directory domain controller will pull in information about additional domains associated with IPA realm. They can be seen in Active Directory UI for Domains and Trusts and should be first enabled to use.
Instruction below assumes Windows 2012 Server is in use. For Windows 2008R2 Server and below one shou
How to test
0. Add new domain to IPA and configure a host in it:
# ipa dnszone-add example1.com --name-server=ns --email@example.com --ip-address=<IP> # ipa dnsrecord-add example1.com pool --a-rec=<IP ADDRESS 1>
1. Create new VM and enroll new host with name pool.example1.com and IP address <IP ADDRESS 1>
2. Log in into Active Directory domain controller as Administrator.
3. Open Active Directory Domain and Trusts
4. In the console tree, right-click the domain node for the AD.LAN domain, and then click Properties.
5. On the Trusts tab, click the IPA forest trust, and then click Properties.
6. On the Name Suffix Routing tab, under Name suffixes in the IPA forest, click the suffix to modify the routing status, and then click Edit.
7. In Existing name suffixes in IPA forest, click the suffix that you want to modify, and then click Enable or Disable.
8. Modify list of the domains on the IPA side:
# ipa realmdomains-mod --add-domain foobar1.ext
9. Click Refresh button on the Name Suffixes Routing tab
10. You should see foobar1.ext domain appearing there with Disabled status.
11. Launch command line (cmd32) and attempt to obtain ticket to host/pool.example1.com:
> klist get host/pool.example1.com
All the test steps should end with the above specified results.