Deploy Windows 2016 AD and Fedora 25 IPA with a One-way Trust

Introduction

For the purpose of this post, the two machines I used for these instructions are VMs running atop a Fedora 25 hypervisor which was configured as outlined here:

Configuring Fedora 25 as a Hypervisor using Virtual Machine Manager

Note: Make sure that when deploying IPA and AD that you do so on separate domains.  Otherwise, IPA clients will be querying the AD server directly when they dig the domain for ldap records.

INCORRECT: IPA Server: ipa01.example.com | AD Server: ad01.example.com
CORRECT: IPA Server: ipa01.linux.example.com | AD Server: ad01.example.com
CORRECT: IPA Server: ipa01.example.com | AD Server: ad01.win.example.com
CORRECT: IPA Server: ipa01.linux.example.com | AD Server: ad01.win.example.com
CORRECT: IPA Server: ipa01.somedomain.com | AD Server: ad01.otherdomain.com

Deploying Windows 2016 AD

  1. On my first VM, I booted using a Trial ISO of Windows Server 2016:
  2. Begin the installation with Windows Server 2016 Standard Evaluation (Desktop Experience).
  3. After the machine boots from installation, configure the Hostname:
    1. Server Manager – Local Server.
    2. Click on the machine’s current hostname.
    3. Click Change and change the hostname to your preference.
      • Example: win16ad01
  4. Configure Active Directory and DNS:
    1. Server Manager – Dashboard.
    2. Add Roles and Features.
    3. For Installation Type, choose Role-based or feature-based installation.
    4. For Server Roles, click Active Directory Domain Services and DNS Server.
    5. Within Server Manager, go to AD DS and click on More.
    6. Click on Promote this server to a domain….
    7. In the next window, choose Add a new Forest.
      • Here, set the full DN of your Forest.
        • Example: win.terranforge.com

Deploying Fedora 25 IPA

  1. For the second VM, I booted using the HTTP link to Fedora 25 Server:
  2. During pre-installation:
    1. Choose Minimal at Software Selection.
    2. In Network & Host Name, set the full hostname of the machine.
      • Example: f25ipa01.linux.terranforge.com
    3. Make sure to give /var a large amount of space, as this is where the IPA Database and Logs will be stored.
  3. After installation and reaching a root prompt:
    1. Install the IPA packages and the RNG package:
      • dnf install ipa-server ipa-server-dns ipa-server-trust-ad rng-tools -y
      • The RNG daemon will generate free entropy to be used during the certificate database creation, otherwise that process can take a very long time to complete.
    2. Open the correct ports that IPA will use:
      • firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=freeipa-trust --permanent
      • firewall-cmd --reload
    3. Start the RNG Daemon:
      • systemctl start rngd
    4. Configure the IPA instance:
      • ipa-server-install --setup-dns
        1. For Server host name, press Enter (Hostname was set during pre-install).
        2. For Domain name and Realm name, press Enter.
        3. Press Enter when prompted for DNS forwarders.
        4. For Enter an IP address for a DNS forwarder, enter the IP Address of your Windows 2016 AD.
        5. Type yes and press Enter to finalize the pre-configuration and begin installation.

Configure the One-way Trust

  1. From the Fedora root prompt, prepare IPA for the trust:
    • ipa-adtrust-install
    • All options should be default.
  2. Configure and Verify the trust:
    1. ipa trust-add --type=ad --admin Administrator --password
      • Example: ipa trust-add --type=ad win.terranforge.com --admin Administrator --password
    2. id administrator@win.terranforge.com

Get involved and ask questions

You can get in touch with the IPA community by joining the #freeipa and #sssd channels on Freenode and the freeipa-users and sssd-users mailing lists.

Advertisements