In this tutorial, we will demonstrate how Linux IPA v4 can be indirectly integrated to the Windows Active Directory as (trust):

  • Windows AD version: Windows 2012 R2
  • Windows IP:
  • Windows hostname:
  • Windows AD Domain:
  • Linux IPA v4 : RHEL7.4
  • Linux IPA IP:
  • Linux IPA hostname:
  • Linux IPA Domain:


Pre-Configuration of IPA

On Linux IPA:

# hostname

# cat /etc/hosts

# iptables –F


IPA installation Steps:

# ipa-server-install

Do you want to configure integrated DNS (BIND)? [no]: yes

Server host name []: [Enter]

Please confirm the domain name []: [Enter]

Please provide a realm name [IPA.ECC.COM]: [Enter]

Do you want to configure DNS forwarders? [yes]: no

Do you want to search for missing reverse zones? [yes]: no

Continue to configure the system with these values? [no]: yes


Configure IPA server for cross-forest trusts

# ipa-adtrust-install

Enable trusted domains support in slapi-nis? [no]: no

NetBIOS domain name [IPA]: [Enter]

Do you want to run the ipa-sidgen task? [no]: no


Configure IPA server to sync time with Active Directory

# ntpdate –u

(and make it permanent in Chrony)


Configure DNS: Conditional DNS forwarders

In the Active Directory server, add “new delegation” using the DNS GUI, by right-clicking on “” and clicking “new delegation”

Delegated domain:

Server FQDN:

IP Address:


Then, add conditional forwarder for IPA domain:

C:\> dnscmd /ZoneAdd /Forwarder


Similarly, on IPA, add conditional forwarder for AD domain:

# ipa dnsforwardzone-add –forwarder= –forward-policy=only

It should appear in the IPA GUI


If IPA is subdomain of AD

If the IPA domain is a subdomain of the AD domain (e.g. IPA domain is and AD domain is, configure DNS as follows

C:\> dnscmd /RecordAdd A

C:\> dnscmd /RecordAdd NS


Disable DNSSEC in IPA

Disable DNSSEC in /etc/named.conf

Restart IPA

Verify DNS configuration

To make sure both AD and IPA servers can see each other, check if SRV records are being properly resolved.

C:\> nslookup

> set type=srv


>> quit


On IPA server:

# dig SRV

# dig SRV


Add IPA trust with AD domain

# ipa trust-add –type=ad –admin=Administrator

Then enter the password of the AD Administrator


At the end, modify the /etc/krb5.conf file in the IPA server as follows:

dns_lookup_kdc = true


Testing: create a user in AD, and then test it in the IPA server:

# id