4.2. Interactive installation of an IdM server with integrated DNS and without a CA

Procedure

1. Run the ipa-server-install utility and provide all the required certificates. For example:

   [root@server ~]# ipa-server-install \
       --http-cert-file /tmp/server.crt \
       --http-cert-file /tmp/server.key \
       --http-pin secret \
       --dirsrv-cert-file /tmp/server.crt \
       --dirsrv-cert-file /tmp/server.key \
       --dirsrv-pin secret \
       --ca-cert-file ca.crt

   See Certificates required to install an IdM server without a CA for details on the provided certificates.

2. The script prompts to configure an integrated DNS service. Enter yes or no. In this procedure, we are installing a server with integrated DNS.

   Do you want to configure integrated DNS (BIND)? [no]: yes

   注記

   If you want to install a server without integrated DNS, the installation script will not prompt you for DNS configuration as described in the steps below. See Installing an IdM server: Without integrated DNS, with an integrated CA as the root CA for details on the steps for installing a server without DNS.

3. The script prompts for several required settings and offers recommended default values in brackets.

   • To accept a default value, press Enter.

   • To provide a custom value, enter the required value.

     Server host name [server.idm.example.com]:
     Please confirm the domain name [idm.example.com]:
     Please provide a realm name [IDM.EXAMPLE.COM]:

     警告

     Plan these names carefully. You will not be able to change them after the installation is complete.

4. Enter the passwords for the Directory Server superuser (cn=Directory Manager) and for the Identity Management (IdM) administration system user account (admin).

   Directory Manager password:
   IPA admin password:

5. The script prompts for per-server DNS forwarders.

   Do you want to configure DNS forwarders? [yes]:

   • To configure per-server DNS forwarders, enter yes, and then follow the instructions on the command line. The installation process will add the forwarder IP addresses to the IdM LDAP.

     • For the forwarding policy default settings, see the --forward-policy description in the ipa-dns-install(1) man page.

   • If you do not want to use DNS forwarding, enter no.

     With no DNS forwarders, hosts in your IdM domain will not be able to resolve names from other, internal, DNS domains in your infrastructure. The hosts will only be left with public DNS servers to resolve their DNS queries.

6. The script prompts to check if any DNS reverse (PTR) records for the IP addresses associated with the server need to be configured.

   Do you want to search for missing reverse zones? [yes]:

   If you run the search and missing reverse zones are discovered, the script asks you whether to create the reverse zones along with the PTR records.

   Do you want to create reverse zone for IP 192.0.2.1 [yes]:
   Please specify the reverse zone name [2.0.192.in-addr.arpa.]:
   Using reverse zone(s) 2.0.192.in-addr.arpa.

   注記

   Using IdM to manage reverse zones is optional. You can use an external DNS service for this purpose instead.

7. Enter yes to confirm the server configuration.

   Continue to configure the system with these values? [no]: yes

8. The installation script now configures the server. Wait for the operation to complete.

9. After the installation script completes, update your DNS records in the following way:

   1. Add DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.

      重要

      Repeat this step each time after an IdM DNS server is installed.

   2. Add an _ntp._udp service (SRV) record for your time server to your IdM DNS. The presence of the SRV record for the time server of the newly-installed IdM server in IdM DNS ensures that future replica and client installations are automatically configured to synchronize with the time server used by this primary IdM server.