Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 4. Configuring External Services
Use this section to configure your Red Hat Satellite Capsule Server to work with external DNS, DHCP and TFTP services.
4.1. Configuring Capsule Server with External DNS
				You can configure Capsule Server with external DNS. Capsule uses the nsupdate utility to update DNS records on the remote server.
			
				To make any changes persistent, you must enter the satellite-installer command with the options appropriate for your environment.
			
Prerequisites
Before you can configure Capsule Server with external DNS, ensure that the following conditions are met:
- You must have a configured external DNS server.
Procedure
To configure Capsule Server with external DNS, complete the following steps:
- Install the - bind-utilspackage:- yum install bind bind-utils - # yum install bind bind-utils- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the - /etc/rndc.keyfile from the external DNS server to Capsule Server:- scp root@dns.example.com:/etc/rndc.key /etc/rndc.key - # scp root@dns.example.com:/etc/rndc.key /etc/rndc.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the ownership, permissions, and SELinux context: - restorecon -v /etc/rndc.key chown -v root:named /etc/rndc.key chmod -v 640 /etc/rndc.key - # restorecon -v /etc/rndc.key # chown -v root:named /etc/rndc.key # chmod -v 640 /etc/rndc.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To test the - nsupdateutility, add a host remotely:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter the - satellite-installercommand to make the following persistent changes to the- /etc/foreman-proxy/settings.d/dns.ymlfile:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Restart the foreman-proxy service: - systemctl restart foreman-proxy - # systemctl restart foreman-proxy- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Log in to the Satellite Server web UI and navigate to Infrastructure > Capsules.
- Locate the Capsule Server that you want to configure with external DNS and from the list in the Actions column, select Refresh.
- Associate the DNS service with the appropriate subnets and domain.
4.2. Configuring Capsule Server with External DHCP
To configure Capsule Server with external DHCP, you must complete the following procedures:
4.2.1. Configuring an External DHCP Server to Use with Capsule Server
To configure an external DHCP server to use with Capsule Server, on a Red Hat Enterprise Linux server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages. You must also share the DHCP configuration and lease files with Capsule Server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.
Procedure
To configure an external DHCP server to use with Capsule Server, complete the following steps:
- On a Red Hat Enterprise Linux Server server, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages: - yum install dhcp bind - # yum install dhcp bind- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Generate a security token: - dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key - # dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - As a result, a key pair that consists of two files is created in the current directory. 
- Copy the secret hash from the key: - cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2 - # cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the - dhcpdconfiguration file for all of the subnets and add the key. The following is an example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Note that the - option routersvalue is the Satellite or Capsule IP address that you want to use with an external DHCP service.
- Delete the two key files from the directory that they were created in.
- On Satellite Server, define each subnet. Do not set DHCP Capsule for the defined Subnet yet. - To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the Satellite web UI define the reservation range as 192.168.38.101 to 192.168.38.250. 
- Configure the firewall for external access to the DHCP server: - firewall-cmd --add-service dhcp \ && firewall-cmd --runtime-to-permanent - # firewall-cmd --add-service dhcp \ && firewall-cmd --runtime-to-permanent- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On Satellite Server, determine the UID and GID of the - foremanuser:- id -u foreman id -g foreman - # id -u foreman 993 # id -g foreman 990- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On the DHCP server, create the - foremanuser and group with the same IDs as determined in a previous step:- groupadd -g 990 foreman useradd -u 993 -g 990 -s /sbin/nologin foreman - # groupadd -g 990 foreman # useradd -u 993 -g 990 -s /sbin/nologin foreman- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To ensure that the configuration files are accessible, restore the read and execute flags: - chmod o+rx /etc/dhcp/ chmod o+r /etc/dhcp/dhcpd.conf chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf - # chmod o+rx /etc/dhcp/ # chmod o+r /etc/dhcp/dhcpd.conf # chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Start the DHCP service: - systemctl start dhcpd - # systemctl start dhcpd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the DHCP configuration and lease files using NFS: - yum install nfs-utils systemctl enable rpcbind nfs-server systemctl start rpcbind nfs-server nfs-lock nfs-idmapd - # yum install nfs-utils # systemctl enable rpcbind nfs-server # systemctl start rpcbind nfs-server nfs-lock nfs-idmapd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create directories for the DHCP configuration and lease files that you want to export using NFS: - mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp - # mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To create mount points for the created directories, add the following line to the - /etc/fstabfile:- /var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0 /etc/dhcp /exports/etc/dhcp none bind,auto 0 0 - /var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0 /etc/dhcp /exports/etc/dhcp none bind,auto 0 0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Mount the file systems in - /etc/fstab:- mount -a - # mount -a- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Ensure the following lines are present in - /etc/exports:- /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check) /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide) /exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide) - /exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check) /exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide) /exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Note that the IP address that you enter is the Satellite or Capsule IP address that you want to use with an external DHCP service. 
- Reload the NFS server: - exportfs -rva - # exportfs -rva- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the firewall for the DHCP omapi port 7911: - firewall-cmd --add-port="7911/tcp" \ && firewall-cmd --runtime-to-permanent - # firewall-cmd --add-port="7911/tcp" \ && firewall-cmd --runtime-to-permanent- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Configure the firewall for external access to NFS. - Clients are configured using NFSv3. - Use the - firewalldNFS service to configure the firewall:- firewall-cmd --zone public --add-service mountd \ && firewall-cmd --zone public --add-service rpc-bind \ && firewall-cmd --zone public --add-service nfs \ && firewall-cmd --runtime-to-permanent - # firewall-cmd --zone public --add-service mountd \ && firewall-cmd --zone public --add-service rpc-bind \ && firewall-cmd --zone public --add-service nfs \ && firewall-cmd --runtime-to-permanent- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
4.2.2. Configuring Capsule Server with an External DHCP Server
You can configure Capsule Server with an external DHCP server.
Prerequisite
- Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with Capsule Server. For more information, see Section 4.2.1, “Configuring an External DHCP Server to Use with Capsule Server”.
Procedure
To configure Capsule Server with external DHCP, complete the following steps:
- Install the - nfs-utilsutility:- yum install nfs-utils - # yum install nfs-utils- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the DHCP directories for NFS: - mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd - # mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Change the file owner: - chown -R foreman-proxy /mnt/nfs - # chown -R foreman-proxy /mnt/nfs- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths: - showmount -e DHCP_Server_FQDN rpcinfo -p DHCP_Server_FQDN - # showmount -e DHCP_Server_FQDN # rpcinfo -p DHCP_Server_FQDN- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the following lines to the - /etc/fstabfile:- DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0 DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0 - DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0 DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Mount the file systems on - /etc/fstab:- mount -a - # mount -a- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To verify that the - foreman-proxyuser can access the files that are shared over the network, display the DHCP configuration and lease files:- su foreman-proxy -s /bin/bash - # su foreman-proxy -s /bin/bash bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases bash-4.2$ exit- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter the - satellite-installercommand to make the following persistent changes to the- /etc/foreman-proxy/settings.d/dhcp.ymlfile:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Restart the foreman-proxy service: - systemctl restart foreman-proxy - # systemctl restart foreman-proxy- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Log in to the Satellite Server web UI.
- Navigate to Infrastructure > Capsules. Locate the Capsule Server that you want to configure with external DHCP, and from the list in the Actions column, select Refresh.
- Associate the DHCP service with the appropriate subnets and domain.
4.3. Configuring Capsule Server with External TFTP
You can configure Capsule Server with external TFTP services.
Procedure
To configure Capsule Server with external TFTP, complete the following steps:
- Create the TFTP directory for NFS: - mkdir -p /mnt/nfs/var/lib/tftpboot - # mkdir -p /mnt/nfs/var/lib/tftpboot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- In the - /etc/fstabfile, add the following line:- TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0 - TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Mount the file systems in - /etc/fstab:- mount -a - # mount -a- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter the - satellite-installercommand to make the following persistent changes to the- /etc/foreman-proxy/settings.d/tftp.ymlfile:- satellite-installer --foreman-proxy-tftp=true \ --foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot - # satellite-installer --foreman-proxy-tftp=true \ --foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If the TFTP service is running on a different server than the DHCP service, update the - tftp_servernamesetting with the FQDN or IP address of the server that the TFTP service is running on:- satellite-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN - # satellite-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Log in to the Satellite Server web UI.
- Navigate to Infrastructure > Capsules. Locate the appropriate Capsule Server and from the list in the Actions column, select Refresh.
- Associate the TFTP service with the appropriate subnets and domain.
4.4. Configuring Satellite or Capsule with External IdM DNS
Red Hat Satellite can be configured to use a Red Hat Identity Management (IdM) server to provide the DNS service. Two methods are described here to achieve this, both using a transaction key. For more information on Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.
The first method is to install the IdM client which automates the process with the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. This method requires installing the IdM client on the Satellite Server or Capsule’s base system and having an account created by the IdM server administrator for use by the Satellite administrator. See Section 4.4.1, “Configuring Dynamic DNS Update with GSS-TSIG Authentication” to use this method.
				The second method, secret key transaction authentication for DNS (TSIG), uses an rndc.key for authentication. It requires root access to the IdM server to edit the BIND configuration file, installing the BIND utility on the Satellite Server’s base system, and coping the rndc.key to between the systems. This technology is defined in RFC2845. See Section 4.4.2, “Configuring Dynamic DNS Update with TSIG Authentication” to use this method.
			
					You are not required to use Satellite to manage DNS. If you are using the Realm enrollment feature of Satellite, where provisioned hosts are enrolled automatically to IdM, then the ipa-client-install script creates DNS records for the client. The following procedure and Realm enrollment are therefore mutually exclusive. For more information on configuring Realm enrollment, see External Authentication for Provisioned Hosts in Administering Red Hat Satellite.
				
Determining where to install the IdM Client
When Satellite Server wants to add a DNS record for a host, it first determines which Capsule is providing DNS for that domain. It then communicates with the Capsule and adds the record. The hosts themselves are not involved in this process. This means you should install and configure the IdM client on the Satellite or Capsule that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.
4.4.1. Configuring Dynamic DNS Update with GSS-TSIG Authentication
In this example, Satellite Server has the following settings.
| Host name | 
									 | 
| Network | 
									 | 
The IdM server has the following settings.
| Host name | 
									 | 
| Domain name | 
									 | 
Before you Begin.
- Confirm the IdM server is deployed and the host-based firewall has been configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
- Obtain an account on the IdM server with permissions to create zones on the IdM server.
- Confirm if the Satellite or an external Capsule is managing DNS for a domain.
- Confirm that the Satellite or external Capsule are currently working as expected.
- In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
- Make a backup of the answer file in case you have to revert the changes. See Specifying Installation Options for more information.
Create a Kerberos Principal on the IdM Server.
- Ensure you have a Kerberos ticket. - kinit idm_user - # kinit idm_user- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Where idm_user is the account created for you by the IdM administrator. 
- Create a new Kerberos principal for the Satellite or Capsule to use to authenticate to the IdM server. - ipa service-add capsule/satellite.example.com - # ipa service-add capsule/satellite.example.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Install and Configure the IdM Client.
Do this on the Satellite or Capsule Server that is managing the DNS service for a domain.
- Install the - ipa-clientpackage on Satellite Server or Capsule Server:- On Satellite Server, enter the following command: - satellite-maintain packages install ipa-client - # satellite-maintain packages install ipa-client- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On Capsule Server, enter the following command: - yum install ipa-client - # yum install ipa-client- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Configure the IdM client by running the installation script and following the on-screen prompts. - ipa-client-install - # ipa-client-install- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Ensure you have a Kerberos ticket. - kinit admin - # kinit admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Remove any preexisting keytab. - rm /etc/foreman-proxy/dns.keytab - # rm /etc/foreman-proxy/dns.keytab- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Get the keytab created for this system. - ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \ -s idm1.example.com -k /etc/foreman-proxy/dns.keytab - # ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \ -s idm1.example.com -k /etc/foreman-proxy/dns.keytab- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- When adding a keytab to a standby system with the same host name as the original system in service, add the - roption to prevent generating new credentials and rendering the credentials on the original system invalid.
- Set the group and owner for the keytab file to - foreman-proxyas follows.- chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab - # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If required, check the keytab is valid. - kinit -kt /etc/foreman-proxy/dns.keytab \ capsule/satellite.example.com@EXAMPLE.COM - # kinit -kt /etc/foreman-proxy/dns.keytab \ capsule/satellite.example.com@EXAMPLE.COM- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Configure DNS Zones in the IdM web UI.
- Create and configure the zone to be managed: - Navigate to Network Services > DNS > DNS Zones.
- 
									Select Add and enter the zone name. In this example, example.com.
- Click Add and Edit.
- On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list. - grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY; - grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Ensure Dynamic update is set to True.
- Enable Allow PTR sync.
- Select Save to save the changes.
 
- Create and Configure the reverse zone. - Navigate to Network Services > DNS > DNS Zones.
- Select Add.
- Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
- Click Add and Edit.
- On the Settings tab, in the BIND update policy box, add an entry as follows to the semi-colon separated list: - grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY; - grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Ensure Dynamic update is set to True.
- Select Save to save the changes.
 
Configure the Satellite or Capsule Server Managing the DNS Service for the Domain.
- On a Satellite Server’s Base System. - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On a Capsule Server’s Base System. - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Restart the Satellite or Capsule’s Proxy Service.
systemctl restart foreman-proxy
# systemctl restart foreman-proxyUpdate the Configuration in Satellite web UI.
After you have run the installation script to make any changes to a Capsule, instruct Satellite to scan the configuration on each affected Capsule as follows:
- Navigate to Infrastructure > Capsules.
- For each Capsule to be updated, from the Actions drop-down menu, select Refresh.
- Configure the domain: - Go to Infrastructure > Domains and select the domain name.
- On the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.
 
- Configure the subnet: - Go to Infrastructure > Subnets and select the subnet name.
- On the Subnet tab, set IPAM to None.
- On the Domains tab, ensure the domain to be managed by the IdM server is selected.
- On the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
- Click Submit to save the changes.
 
4.4.2. Configuring Dynamic DNS Update with TSIG Authentication
In this example, Satellite Server has the following settings.
| IP address | 
									 | 
| Host name | 
									 | 
The IdM server has the following settings.
| Host name | 
									 | 
| IP address | 
									 | 
| Domain name | 
									 | 
Before you Begin
- Confirm the IdM Server is deployed and the host-based firewall has been configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
- 
							Obtain rootuser privileges on the IdM server.
- Confirm if the Satellite or an external Capsule is managing DNS for a domain.
- Confirm that the Satellite or external Capsule are currently working as expected.
- In the case of a newly installed system, complete the installation procedures in this guide first. In particular, DNS and DHCP configuration should have been completed.
- Make a backup of the answer file in case you have to revert the changes. See Specifying Installation Options for more information.
Enabling External Updates to the DNS Zone in the IdM Server
- On the IdM Server, add the following to the top of the - /etc/named.conffile.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Reload - namedto make the changes take effect.- systemctl reload named - # systemctl reload named- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- In the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone. On the Settings tab: - Add the following in the - BIND update policybox.- grant "rndc-key" zonesub ANY; - grant "rndc-key" zonesub ANY;- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Ensure Dynamic update is set to True.
- Click Update to save the changes.
 
- Copy the - /etc/rndc.keyfile from the IdM server to Satellite’s base system as follows.- scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key - # scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Ensure that the ownership, permissions, and SELinux context are correct. - restorecon -v /etc/rndc.key chown -v root:named /etc/rndc.key chmod -v 640 /etc/rndc.key - # restorecon -v /etc/rndc.key # chown -v root:named /etc/rndc.key # chmod -v 640 /etc/rndc.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On Satellite Server, run the installation script as follows to use the external DNS server. - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Testing External Updates to the DNS Zone in the IdM Server
- Install - bind-utilsfor testing with- nsupdate.- yum install bind-utils - # yum install bind-utils- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Ensure the key in the - /etc/rndc.keyfile on Satellite Server is the same one as used on the IdM server.- key "rndc-key" { algorithm hmac-md5; secret "secret-key=="; };- key "rndc-key" { algorithm hmac-md5; secret "secret-key=="; };- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On Satellite Server, create a test DNS entry for a host. For example, host - test.example.comwith an A record of- 192.168.25.20on the IdM server at- 192.168.25.1.- echo -e "server 192.168.25.1\n \ update add test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key - # echo -e "server 192.168.25.1\n \ update add test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On Satellite Server, test the DNS entry. - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view the entry in the IdM web UI, go to Network Services > DNS > DNS Zones. Select the name of the zone and search for the host by name.
- If resolved successfully, remove the test DNS entry. - echo -e "server 192.168.25.1\n \ update delete test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key - # echo -e "server 192.168.25.1\n \ update delete test.example.com 3600 IN A 192.168.25.20\n \ send\n" | nsupdate -k /etc/rndc.key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the DNS entry was removed. - nslookup test.example.com 192.168.25.1 - # nslookup test.example.com 192.168.25.1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The above - nslookupcommand fails and returns the SERVFAIL error message if the record was successfully deleted.
4.4.3. Reverting to Internal DNS Service
To revert to using Satellite Server and Capsule Server as DNS providers, follow this procedure.
On the Satellite or Capsule Server that is to manage DNS for the domain.
- If you backed up the answer file before the change to external DNS, restore the answer file and then run the installation script: - satellite-installer - # satellite-installer- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you do not have a suitable backup of the answer file, back up the answer file now, and then run the installation script on Satellite and Capsules as described below. - See Specifying Installation Options for more information on the answer file. 
To configure Satellite or Capsule as DNS server without using an answer file.
See Configuring DNS, DHCP, and TFTP on Capsule Server for more information.
Update the Configuration in Satellite web UI.
After you have run the installation script to make any changes to a Capsule, instruct Satellite to scan the configuration on each affected Capsule as follows:
- Navigate to Infrastructure > Capsules.
- For each Capsule to be updated, from the Actions drop-down menu, select Refresh.
- Configure the domain: - Go to Infrastructure > Domains and select the domain name.
- On the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.
 
- Configure the subnet: - Go to Infrastructure > Subnets and select the subnet name.
- On the Subnet tab, set IPAM to DHCP or Internal DB.
- On the Domains tab, ensure the domain to be managed by the Satellite or Capsule is selected.
- On the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
- Click Submit to save the changes.