• Отключить репозиторий ciscobinary.openh264.org

sudo sed -i 's/enabled=1/enabled=0/g' /etc/yum.repos.d/fedora-cisco-openh264.repo
sudo yum update

• Установить пакеты freeipa-server

sudo dnf install freeipa-server freeipa-server-dns -y

• Открыть на Firewall порты

#sudo yum install firewall-cmd -y
#sudo systemctl enable firewalld --now
sudo firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,kerberos,http,https,ntp} --permanent
sudo firewall-cmd --reload

• Выполнить установку Контроллера домена

sudo ipa-server-install --allow-zone-overlap 

Do you want to configure integrated DNS (BIND)? [no]: yes
Server host name [dc01.sdksystems.ru]:
Please confirm the domain name [sdksystems.ru]:
Please provide a realm name [SDKSYSTEMS.RU]:
Directory Manager password: 
Password (confirm):
IPA admin password:
Password (confirm):

NetBIOS domain name [SDKSYSTEMS]:
Do you want to configure chrony with NTP server or pool address? [no]: yes

vi /etc/named/ipa-ext.conf acl «trusted_network» {

localnets;
localhost;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;

};

vi /etc/named/ipa-options-ext.conf allow-recursion { trusted_network; }; allow-query-cache { trusted_network; };

ipactl restart

На реплике:

sudo yum install freeipa-server freeipa-server-dns -y
sudo firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,kerberos,http,https,ntp} --permanent
sudo firewall-cmd --reload
sudo ipa-client-install --domain=sdksystems.ru --server=dc01.sdksystems.ru
sudo reboot

На основном сервере kinit ipa hostgroup-add-member ipaservers –hosts dc02.sdksystems.ru